The Zoom videoconferencing application had a great growth in the pandemic, but ended up experiencing security problems during its peak of users. One of these flaws was quite simple and related to the meeting password system, according to a report released by security expert Tom Anthony, who works at the search firm SearchPilot.
In a post on his website, Anthony explains that he was able to discover and prove a vulnerability in the passwords used to protect Zoom meetings. In April, when the problem was discovered, the rooms could be accessed by anyone who knew the numerical combination, which had a maximum of six digits.
Using six numbers ensures about a million password combinations to protect meetings. While the amount may be enough to tire a nosy human, a hacker can easily break through the barrier using brute force attack software.
Discovering the password in minutes
During his test, the security expert used a program made in Python to discover the password for a room. The result? After about 28 minutes, the software was able to find the combination that protected the meeting.
“With improved segmentation and distribution between 4-5 cloud servers, you can check the entire space of combinations in a few minutes,” said the expert. After verifying the vulnerability, Tom Anthony reported the security breach to Zoom on April 1.
The following day, the company suspended its web service and began making changes to improve meeting security, a process that lasted approximately a week. In addition to making passwords longer and bringing support for extra characters, the company also made it mandatory to login to a zoom account to use the web version of the service.
“With these fixes, the problem was fully resolved and no user action was required,” said Zoom. “We are not aware that this vulnerability has been exploited in any way.”