Popular video conferencing app Zoom recently fixed a new security flaw that could have allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants.
Zoom meetings are by default protected by a six-digit numeric password, but according to Tom Anthony, VP Product at SearchPilot who identified the issue, the lack of rate limiting enabled “an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”
It’s worth noting that Zoom began requiring a passcode for all meetings back in April as a preventive measure to combat Zoom-bombing attacks, which refers to the act of disrupting and hijacking Zoom meetings uninvited to share obscene and racist content.
Anthony reported the security issue to the company on April 1, 2020, along with a Python-based proof-of-concept script, a week after Zoom patched the flaw on April 9.
The fact that meetings were, by default, secured by a six-digit code meant there could be only a maximum of one million passwords.
But in the absence of no checks for repeated incorrect password attempts, an attacker…