Zoom security flaw meant random people could have spied on your calls

Bug could have been used to snoop on virtual cabinet meeting, researcher suggests

Anthony Cuthbertson
Thursday 30 July 2020 13:16
Comments
Employers routinely justified their requests to dress more seductively by claiming it would ‘help to win new business’ – with 41 per cent of bosses saying this
Employers routinely justified their requests to dress more seductively by claiming it would ‘help to win new business’ – with 41 per cent of bosses saying this

A security flaw with Zoom meant hackers could enter password-protected calls "in a matter of minutes", a researcher has revealed.

The issue stemmed from a lack of limits on the number of times a password could be attempted on private meetings.

Video chats were protected by default by a 6 digit password, meaning there were 1 million possibilities. Attackers could therefore brute force all the different combinations relatively quickly and easily.

The vulnerability was discovered by Tom Anthony, vice president of Product at SEO firm SearchPilot, who first reported it to Zoom on 1 April.

Details of the exploit were only publicly disclosed on Wednesday, though Zoom said that the issue was mitigated on 9 April, meaning any calls after that date were no longer vulnerable.

There is no evidence that the security flaw was used by hackers, but the nature of such attacks mean it would be nearly impossible to find out.

Video conference app Zoom has been used for cabinet meetings by the UK government during the coronavirus lockdown

Mr Anthony suggests it could have been used in highly-confidential meetings that took place over the video chat platform during lockdown measures introduced in late March to contain the coronavirus pandemic.

"On 31 March, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID," Mr Anthony wrote in a blog post detailing the bug.

"I noted in Boris Johnson's screenshot that there is a user simply called 'iPhone' that is muted with the camera off. It got me wondering whether this flaw has previously been found - if I could discover it then it seems plausible that others could too, which makes this bug particularly worrisome."

A list of participants in the UK cabinet meeting held over Zoom on 31 March.

It is the latest in a series of issues with the platform, which saw a trend known as 'Zoombombing' emerge in March and April, whereby people would enter video calls uninvited.

In the most severe instances, participants were subjected to footage of child sex abuse.

In response to the latest disclosure, a spokesperson for Zoom told The Independent: “Upon learning of this issue we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations.

"We have since improved rate limiting... and relaunched the web client on 9 April. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild."

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in