Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join. For each attempt, the page will load and attempt to join the meeting.
Here is the list of changes that were introduced to the Zoom client\infrastructure following our disclosure: Zoom representatives were very collaborative and responded quickly to our emails. Replace the randomization function with a cryptographically strong one.ģ.Increase the number of digits\symbols in the Meeting IDs.Ĥ.Force hosts to use passwords\PINs\SSO for authorization purposes. Re-implement the generation algorithm of Meeting IDsĢ. We contacted Zoom on Jas part of a responsible disclosure process and proposed the following mitigations:ġ. We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force. url )) else : print ( 'Invalid Meeting ID' ) We took 1000 “random” Meeting IDs and prepared the URL string for joining the meeting here as well: The first thing we did was pre-generate the list of potentially valid Zoom Meeting IDs. prevented an unauthorized person from connecting to it. The problem was that if you hadn’t enabled the “ Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits. In response, Zoom introduced a number of mitigations, so this attack is no longer possible. In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings.Īll the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc.
0 kommentar(er)
