Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join. For each attempt, the page will load and attempt to join the meeting. Zoom will no longer automatically indicate if a meeting ID is valid or invalid.Password settings are enforceable at the account level and group level by the account admin.Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so.Passwords are added by default to all future scheduled meetings.
In response, Zoom took the following actions: Force hosts to use passwords\PINs\SSO for authorization purposes.Increase the number of digits\symbols in the Meeting IDs.Replace the randomization function with a cryptographically strong one.Re-implement the generation algorithm of Meeting IDs.The firm contacted Zoom on July 22 last year and proposed several mitigations, including: The firm pre-generated a list of potentially valid Zoom Meeting IDs, took 1,000 random IDs and prepared the URL string for joining the meeting.īut how could we determine if a Zoom Meeting ID represented a valid meeting or not? We discovered a fast and easy way to check this based on the following “ div” element present in the HTML Body of the returned response, when accessing “ Join Meeting” URL (’.format(response.url))Īccording to Check Point, its researchers were able to predict about 4% of generated Meeting IDs. If a user didn’t’ enable the “Require meeting password” option of enabled Waiting Room, the nine-to-11-digit meeting IDs were the only thing securing a meeting and preventing an unauthorized person from listening in. A vulnerability in teleconferencing app Zoom would have allowed a malicious actor to identify and join in on active meetings, Check Point Research says in a new report.Īccording to the cybersecurity research firm Check Point Research, the problem had to do with Zoom Meeting IDs.
0 kommentar(er)
