Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so. Passwords are added by default to all future scheduled meetings. Here is the list of changes that were introduced to the Zoom client\infrastructure following our disclosure: Zoom representatives were very collaborative and responded quickly to our emails. Replace the randomization function with a cryptographically strong one.ģ.Increase the number of digits\symbols in the Meeting IDs.Ĥ.Force hosts to use passwords\PINs\SSO for authorization purposes. Re-implement the generation algorithm of Meeting IDsĢ. We contacted Zoom on Jas part of a responsible disclosure process and proposed the following mitigations:ġ. We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force. We took 1000 “random” Meeting IDs and prepared the URL string for joining the meeting here as well: The first thing we did was pre-generate the list of potentially valid Zoom Meeting IDs. prevented an unauthorized person from connecting to it. The problem was that if you hadn’t enabled the “ Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. 
If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits.
In response, Zoom introduced a number of mitigations, so this attack is no longer possible. In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings.Īll the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc. Tech Keep-Teaching Assistant (TechKTA) are UIT student workers who have been trained by Academic Technology to assist faculty with various aspects of teaching in Zoom in order to free up faculty to focus on content and delivery.Cyber Security, Research & Innovation Manager
*Zoom is temporarily limiting direct user support until the end of June.Īt this time, please contact the Service Desk, not Zoom directly. Get the help and information you need on a variety of topics by browsing our comprehensive list of learning and support resources from Zoom and UIT, as well as live and recorded training opportunities offered by Zoom.
0 kommentar(er)
