The popular video conferencing Zoom is affected by a vulnerability that could be exploited to join meetings and view all content shared by participants.
The issue allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session.
The Zoom platform hosts both password-protected virtual meetings and webinars, and sessions for non-pre-registered participants who can join the meetings by entering a unique Meeting ID (comprised of 9, 10, and 11-digit numbers). The latter case doesn’t require a password or going through the Waiting Rooms.
The knowledge of Meeting IDs could allow miscreants joining meetings or webinars.
“The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.” reads the analysis published by CheckPoint.
Check Point experts discovered that an attacker could p
The researchers generated 1000 potentially valid Zoom Meeting IDs and prepared the URL string for joining the meetings, then they check whether the IDs were valid or not.
urls = 
for _ in range(1000):
The experts discovered that it was p
<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div>
The discovered were able to automate the verification process.
“We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success,
Check Point reported the flaw to Zoom in July 2019 and in September the company addressed it, the platform now requires a password when scheduling new meetings, for instant meetings, and for Personal Meeting ID (PMI).
Below the list of changes implemented by Zoom for its client\infrastructure:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.