Researchers at Check Point have discovered a serious bug in the popular video conferencing service Zoom. Hackers could listen to video conferencing, have access to all audio and video files, as well as documents that the victims shared with each other.
Zoom is used by approximately 60% of Fortune 500 companies (ranking of the 500 largest global companies).
Experts say attackers could abuse the way Zoom generates URLs for virtual conference rooms and use this feature to eavesdrop. So, the conference ID Zoom provides access to the meeting to conference participants. As a rule, such identifiers consist of 9-11 characters and look like this: https://zoom.us/j/93XXX9XXX5.
According to the Check Point Research team, the hacker could pre-create a long list of meeting IDs, and then quickly check whether the corresponding ID is valid or not. If the identifier is valid and the conference is not password protected, an attacker could gain access to it and monitor everything that happens.
Although only random generation of URLs is possible, which means that this trick cannot be used for targeted attacks against a specific organization, nevertheless, if attackers find an interesting “room”, they can continue to return to it until a password is set.
Researchers first contacted Zoom developers on July 22, 2019 to inform them of a problem. Subsequently, Check Point worked with Zoom to release a series of patches and updates designed to fix detected bugs.
As a result, Zoom resolved issues and implemented the following security features:
- Default Passwords: The password is added by default to all future scheduled appointments.
- Adding a password by the user. Users can add a password for already scheduled meetings and receive email instructions on how to do this.
- Check Participant ID: Zoom will no longer automatically indicate if the meeting ID is valid or invalid. With each verification attempt, the page will load and an attempt will be made to join the meeting. Thus, a hacker will not be able to quickly check different IDs and quickly join conferences.
- Lock device. Repeated attempts to scan conference IDs will lock the device for a while.