Zoom Security Exploit: Cracking private meeting passwords

I believe Zoom&#x27;s continued struggle represents the state of software development in 2020.<p>1. Are you a software engineer?<p>2. How many &quot;security&quot; tickets have you been assigned in your career?<p>3. Has your employer ever paid for security training for you? (and I&#x27;m not talking about annoying powerpoint websites that teach you how to identify phishing emails)<p>4. Has your organization ever run a blue team &#x2F; red team exercise?<p>5. Who is in charge of APPLICATION SECURITY at your company? (Not network security, or database security, but actual APPLICATION level vulns)<p>6. Does your organization scan for outdated dependencies? (Do you uncover CVEs in your software on your own, or do you check how bad things are when the news tells you something big happened and might be in your stack?)<p>7. Are you running a web application, and have you implemented ANY security headers?<p>8. Did your business unit mandate that &quot;we support all browsers&quot;, so they still have you running on TLS v1.1? (who tf knows, or cares, am I right?)<p>9. Do you use the software you built? (Is your personal information in the database, along with legitimate usage stats, and possibly sensitive information you&#x27;d like to protect, or do you just write the code and deploy into the void?)<p>10. Do you have access to the production systems or database? (Most likely the answer is NO, so you wouldn&#x27;t know about brute-force attacks, invalid requests, corrupted data, or other anomalies the developers should have their eyes on).<p>My diagnosis; the profession of software development is a victim of a hostile takeover from product managers, while pushing engineers out of control of their domain.<p>My recommendation; use the least amount of software you can get by with, and assume it&#x27;s compromised.

&gt; 9th April – Heard from the Zoom team that this was mitigated.<p>&gt; 16th April – Heard they were working on updated bug bounty program.<p>&gt; 15th June – Requested update on BB program. No reply.<p>&gt; 8th July – Asked again if I could submit this for bounty. No reply.<p>&gt; 29th July – Disclosure.<p>That&#x27;s disappointing that Zoom never got back to you regarding the bounty.

&gt;In other testing, I found that Zoom has a maximum password length of 10 characters, and whilst it accepts non-ASCII characters (such as ü, €, á) it converts them all to ? after you save the password<p>Maximum password length of 10 chars, and auto-converting non-ASCII to &#x27;?&#x27; are both extremely egregious password practices.. Why does it not surprise me Zoom is doing both. I wonder it they also silently truncate passwords &gt; 10 chars?<p>These are absolute basics. Let alone not rate limiting and the laundry list of other terrible (lack of) security practices.

Rate limiting login attempts is a basic security principle that&#x27;s both easy to implement and not overly intrusive. This once again confirms that Zoom just doesn&#x27;t care about having a secure platform at all.

It&#x27;s unconscionable they still hadn&#x27;t implemented any sort of rate limiting.<p>It should have been there from day one. For the protection of their customers, and their own infrastructure. After the string of &quot;zoombombings&quot;, it should have been a top priority and received ongoing attention from their CEO until implemented.<p>When I began using the platform, I assumed the randomly generated meeting numbers were buttressed by adequate account and connection attempt monitoring on their back end to make them &quot;secure enough&quot;. After finding reason to suspect otherwise 5 months ago, I contacted Zoom about it twice and never received a response (from what I can tell support is overwhelmed and tickets even for serious issues like security breaches and billing errors can take <i>months</i> to hit human eyes).<p>The password-in-the-link approach felt to me like security theatre. Yes, it adds value, but really doesn&#x27;t amount to anything more than a bit of additional URL obfuscation (particularly given the length and character limitations), unless you&#x27;re distributing passwords separately - which can be onerous for attendees.<p>Hats off to this researcher for forcing the issue and finally incentivizing the company to work on cleaning up their act. But it makes me worry about where else in their platform they took shortcuts. They&#x27;ve really nailed the &quot;frictionless&quot; part (and I commend them for that) but I&#x27;m convinced you can achieve a friendly user experience while still maintaining a basic level of security.

My org was forced to switch from Zoom to Microsoft Teams and it&#x27;s become quite apparent Microsoft has a long way to go to catch up. There are small things Zoom did that enhanced meetings that you never even knew or thought about as a user until switching to something else. For example, noise filtering. Zoom has active noise filtering which gets rid of small background noise (like typing or computer fans). Microsoft Teams does not have this, and every meeting with more than a couple people has unbearable background noise and everyone has to be on mute if they&#x27;re not talking.<p>We&#x27;re now looking into an enterprise license for Krisp.ai just to remedy this. I am not sure how a trillion dollar company like Microsoft hasn&#x27;t been able to figure this out yet. Maybe they&#x27;ll buy a startup like Krisp just to fix it. But hey...at least it&#x27;s more secure.

Reading the whole story it makes me believe Zoom has really poor securities practices all across their board. Even basic stuff. Incredible.

It seems like one way to mitigate security vulnerabilities is to write software that looks for statistical anomalies. Attempting 1 million passwords in 28 minutes is such an obvious outlier that it&#x27;s strange we have to guard against it explicitly.<p>It would also catch cheats in video games, for example, since those are statistical outliers too.<p>Is there a name for this kind of program?

I really hope they just extend the password to 8 upper letters (200 billion combinations) or 10 digits.<p>If they go for a longer and alphanumeric password as it seems they are doing, I am gonna dread having to enter that manually whenever joining a meeting, all because an hypothetically attacker might join in. Might as well switch back to webex for usability.

I can&#x27;t stand the thought of using Zoom after all the seemingly endless issues on security and privacy (and now this new issue with not paying a bug bounty).<p>For what might probably be a millionth time, what are the best alternatives (preferably free or easily self-hostable or priced low) for occasional calls of the following types:<p>1. Video calls with some people (say about 10 people max.). The free Jitsi Meet seems good for this.<p>2. Webinar platform where there are clear distinctions between a presenter and participants, and the presenter chooses what&#x27;s visible at any point in time (video feed from camera or some file&#x2F;presentation&#x2F;screen sharing) and has control over recording the session.<p>3. Same as #2 but with two presenters on camera (different physical locations) switching back and forth (either as the main view or with the active presenter on the main view and the other in a smaller corner window).

Why public education continues to use Zoom is beyond me. Not only do they use Zoom, they spend upwards of $10&#x2F;mo per student for it. For that price you get the entire G Suite platform.

as an fyi, csrf protection is not related to bot protection; the csrf protection failure means an attacker can execute this code in another user’s browser (and get no meaningful result)

My employer just switched to Zoom (yesterday was my first zoom meeting) and I wondered why we were switching to a company with such lame security.

&gt; They seem to have mitigated it by both requiring a user logs in to join meetings in the web client<p>Well, that&#x27;s unfortunate. I don&#x27;t have a zoom account and have no interest in having one, but sometimes need to attend meetings I have no control over where they&#x27;re held.

Reminded me of the time when it was possible to brute-force a Hotmail password brute-forcing via the Windows Messenger client connections

checked 91k passwords in 25 minutes.<p>250 minutes to crack any password?<p>Meeting will be over before this happens.