We provide the best value to our customers by continuously refining our
Invite URL password hash – API and Webhooks – Zoom Developer Forum.hash – Relation between Zoom id,password and join URL – Cryptography Stack Exchange
Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords. I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting.
I reported the issue to Zoom, who quickly took the web client offline to fix the problem. They seem to have mitigated it by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer. Therefore this attack no longer works. On March 31st, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID.
Twitter was alive with people saying they were trying to join, but Zoom protects meetings with a password by default which was pointed out when the Government defended using Zoom.
Having also tried to join, I thought I would see if I could crack the password for private Zoom meetings. Over the next couple of days, I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting.
After trying to join the Cabinet Meeting, I poked about in the Zoom app and noticed the default passwords being 6 digits and numeric, meaning 1 million maximum passwords. A fairly standard principle of password security is to rate limit password attempts, to prevent an attacker from iterating over a list of candidate passwords and trying them all. I assumed that Zoom would be doing this, but decided to double check.
When a user creates a new meeting, Zoom auto generates a link for people to join, in the form dummy data below :. It contains both the meeting ID and the auto generated password. I believe this password is a hashed version of the 6 digit numeric password, but I also found that swapping it out for the 6 digit numeric version was acceptable to the web client endpoints, so we could ignore the hashed version and concentrate on the numeric version.
This process was a little convoluted to automate, which is maybe why this endpoint had not been scrutinised in detail before. The important thing to note about the above process is that there was no rate limit on repeated password attempts each comprising of 2 HTTP requests — one to submit the password, and follow up request to check if it was accepted by the server.
However, the speed is limited by how quickly you can make HTTP requests, which have a natural latency which would make cracking a password a slow process; the server side state means you have to wait for the first request to complete before you can send the second.
However, we should note that the state was stored against the provided GUID, and you can ask the server for as many of those as you want by sending HTTP requests with no cookie. This means we could request a batch of GUIDs and then chunk the 1 million possible passwords up between them and run multiple requests in parallel. I put together some fairly clunky Python that requests a batch of GUIDs then spawns multiple threads so they can run requests in parallel.
An initial test running from my home machine with threads:. We can see we are checking about 25 passwords a second, and discovered the password in this example I knew the password so had bounded my search. I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.
With improved threading, and distributing across cloud servers you could check the entire password space within a few minutes. Note also that the expected time to find a password would be shorter, as you would not normally need to search the entire list of possible passwords. The initial version of my attack could only be run once a meeting started, but I later found that the DOM for un-started indicated whether the password was correct vs incorrect, meaning you could crack scheduled meetings too.
If you do override the password and produce a longer alphanumeric password, then a 6 digit numeric password may be produced anyway for phone users. This password is not accepted, at least on the endpoint I was trying for the web client. Also note that if the password was to be updated to alphanumeric, I estimate you could still run across a password list of, say, the top 10 million passwords in less than an hour.
It got me wondering whether this flaw has previously been found — if I could discover it then it seems plausible that others could too, which makes this bug particularly worrisome. I reported the issue to Zoom directly, and they quickly took the whole web client offline for a few days whilst they triaged the issue, it came up again a few days later. From my interactions with the team, they seemed to care about the security of the platform, and their users and they seemed appreciative of the report.
Zoom run a private, invite only, bug bounty program, which is a fairly common practice for lots of organisations. I was invited to submit this bug to the bug bounty program, but I asked to wait as I was interested in the new bug bounty program they were working on. I wondered if the new program rules would guarantee consent for disclosure, given I felt this was a bug of public interest.
Zoom agreed I could submit the bug under the new program when it was launched. Zoom have since released the results of their 90 day security sprint, and commitment 4 on that includes updates to their bug bounty program. I did submit a couple of other small bugs via the private program on HackerOne, and received bounties for those. Thanks Zoom team! It was surprising to me that there was a lack of rate limiting on the central mechanism of the platform, which combined with a poor default password system and faulty CSRF meant that meetings were really not secure.
Zoom meetings also got a default password upgrade, which is great. Many most? Update edit: A few people have asked me or remarked about the lack of bounty. To be clear, I never actually submitted this bug via their bounty program but was invited to do so , as was holding out for their new program see post , and fell down the cracks a bit. Short version: Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords.
The government have reassured the call was password protected. Published July 29,
Does the browser insert any risk to the details needed to join a meeting? Instead, I was saying this is something you would need to implement. It contains both the meeting ID and the auto generated password. I assure you that the zoom stuff given above is not working now and was created and terminated just for this question. Even if the password were not embedded in перейти на страницу link, the password is included in the invitation, so again the password is offering no security value.
Jun 17, · The zoom API: create meeting has a password field so I send the following post array via the cURL procedure which will format it into a string, for example: $password = 8 character numeric number that is generated by my server. $post_data = [. ‘topic’ => $session_description, ‘type’ => 2, //scheduled meeting. May 01, · There is no way for you to decrypt the password from the Zoom Join link, since it’s encrypted by Zoom’s internal systems, and releasing the method for hashing the password could allow attackers to bypass a unique join URL and enter a meeting directly, without being invited. Thanks, Alex March 29, , pm #3. May 28, · We all are using zoom application for joining/hosting meetings in this corona virus period. As we create a meeting, a new id, password and a url is generated. Browse other questions tagged hash passwords password-hashing password-based-encryption or ask your own question. The Overflow Blog Stack under attack: what we learned about handling.
Those channels will make sure the feature request is sent to the right team.