The popular video conferencing Zoom is affected by a vulnerability that could be exploited to join meetings and view all content shared by participants.
The issue allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session.
The Zoom platform hosts both password-protected virtual meetings and webinars, and sessions for non-pre-registered participants who can join the meetings by entering a unique Meeting ID (comprised of 9, 10, and 11-digit numbers). The latter case doesn’t require a password or going through the Waiting Rooms.
The knowledge of Meeting IDs could allow miscreants joining meetings or webinars.
“The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.” reads the analysis published by CheckPoint.
Check Point experts discovered that an attacker could p
The researchers generated 1000 potentially valid Zoom Meeting IDs and prepared the URL string for joining the meetings, then they check whether the IDs were valid or not.
urls = 
for _ in range(1000):
The experts discovered that it was p
<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div>
The discovered were able to automate the verification process.
“We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success,
Check Point reported the flaw to Zoom in July 2019 and in September the company addressed it, the platform now requires a password when scheduling new meetings, for instant meetings, and for Personal Meeting ID (PMI).
Below the list of changes implemented by Zoom for its client\infrastructure: