They then took the random IDs and checked them against the URL string used for joining Zoom meetings ((). Researchers were able to pre-generate a list of 1,000 randomly-generated, potentially valid meeting IDs. “An adversary with intermediate skills could unlock this attack.” Predicting Meeting IDs “Brute forcing this range is very hard is you have no feedback from Zoom, but Zoom made a mistake where a tag would identify if meeting IDs are valid or not when users input meeting IDs to the meeting URL,” Yaniv Balmas, head of cyber research for Check Point Software, told Threatpost. This could open the door to third-party actors eventually being able to guess a meeting ID and enter a conferencing session, said researchers with Check Point Software that presented the research. The report revealed that it’s possible to correctly predict valid meeting IDs, due to Zoom identifying meeting IDs as “valid” or “invalid” when they are input into the meeting URL. Research unveiled the research Tuesday here at CPX 360, a security event hosted by Check Point Security. If meeting creators do not enable a “meeting password,” the only thing securing the meetings are Meeting IDs, which are 9, 10, or 11 digit meeting identifying numbers. The issue stems from Zoom’s conference meetings not requiring a “meeting password” by default, which is a password assigned to Zoom attendees for what is calls a meeting room. NEW ORLEANS – Enterprise video conferencing firm Zoom has issued a bevy of security fixes after researchers said the company’s platform used weak authentication that made it possible for adversaries to join active meetings.
0 Comments
Leave a Reply. |