A researcher for SEO firm SearchPilot has discovered a security flaw in Zoom. The weakness means hackers could enter password-protected calls within minutes.
The weakness comes from the unlimited times a password can be attempted on private meetings. Private Zoom video chats are protected by a 6 digit code. This means there are a million potential passwords. So hackers were able to use software to ‘brute force’ the different combinations quickly and easily.
The weakness was uncovered by the researcher at SearchPilot, who reported it to Zoom on 1 April. Not the best April Fools prank to receive!
For some reason Zoom only disclosed the breach this week, though they say it was fixed by 9th April. So any calls after that date were not considered vulnerable.
So far there is no evidence that the security vulnerability was exploited by hackers. However, victims may not be aware they were targeted. This is especially worrying for businesses who have held confidential Zoom meetings with large numbers of attendees to calls.
This isn’t the first time Zoom calls have been known to have unwanted guests. You’ve probably been seeing the term ‘zoombombing’ online.
‘Zoombombing’ describes people accessing calls by obtaining passwords. Often these Zoom calls are things like University lectures or business meetings. “Bombers’ enter the call shouting obscenities and upload the videos to social media.
However, some of these call invasions ended up with people being exposed to child pornography and other explicit images.
They’re listening, Boris.
SearchPilot argues that the weakness may have been exploited in highly-confidential government meetings about COVID-19.
In a blog for SearchPilot the researcher said:
“On 31 March, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID.”
“…In Boris Johnson’s screenshot that there is a user simply called ‘iPhone’ that is muted with the camera off. It got me wondering whether this flaw has previously been found.”
“If I could discover it then it seems plausible that others could too…which makes this bug particularly worrisome.”
A spokesperson for Zoom told The Independent:
As we all get used to a more digital based life these risks will increase, let’s hope platforms are ready for them as they come.