Another Zoom security flaw means hackers may have spied on calls

A previously unknown weakness left users vulnerable to hackers.

four women on a video conferencing call

Saturday, 1 August, 2020

Secret weakness.

A researcher for SEO firm SearchPilot has discovered a security flaw in Zoom. The weakness means hackers could enter password-protected calls within minutes.

The weakness comes from the unlimited times a password can be attempted on private meetings. Private Zoom video chats are protected by a 6 digit code. This means there are a million potential passwords. So hackers were able to use software to ‘brute force’ the different combinations quickly and easily.

The weakness was uncovered by the researcher at SearchPilot, who reported it to Zoom on 1 April. Not the best April Fools prank to receive!

For some reason Zoom only disclosed the breach this week, though they say it was fixed by 9th April. So any calls after that date were not considered vulnerable.

So far there is no evidence that the security vulnerability was exploited by hackers. However, victims may not be aware they were targeted. This is especially worrying for businesses who have held confidential Zoom meetings with large numbers of attendees to calls.

Zoom bomb.

This isn’t the first time Zoom calls have been known to have unwanted guests. You’ve probably been seeing the term ‘zoombombing’ online.

‘Zoombombing’ describes people accessing calls by obtaining passwords. Often these Zoom calls are things like University lectures or business meetings. “Bombers’ enter the call shouting obscenities and upload the videos to social media.

However, some of these call invasions ended up with people being exposed to child pornography and other explicit images.

They’re listening, Boris.

SearchPilot argues that the weakness may have been exploited in highly-confidential government meetings about COVID-19.

In a blog for SearchPilot the researcher said:

“On 31 March, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID.”

“…In Boris Johnson’s screenshot that there is a user simply called ‘iPhone’ that is muted with the camera off. It got me wondering whether this flaw has previously been found.”

“If I could discover it then it seems plausible that others could too…which makes this bug particularly worrisome.”

A spokesperson for Zoom told The Independent:

Upon learning of this issue we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations.

We have since improved rate limiting… and relaunched the web client on 9 April. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild.

- Zoom spokesperson

As we all get used to a more digital based life these risks will increase, let’s hope platforms are ready for them as they come.

Natalie Dunning author picture


Natalie Dunning is a freelance writer and Media Psychology researcher based in Manchester.