Critical Flaw in Zoom Could Allow Attackers to Mess With Meetings

A serious vulnerability existed in the Zoom video conferencing app that the vendor has recently patched. The flaw in the Zoom app could allow an attacker to join meetings and get access to the shared files.

Researchers from Check Point Research have discovered a serious security flaw in the Zoom video conferencing app. The vulnerability could potentially allow an adversary to sneak into an ongoing meeting and listen to the content.

Sharing the details in a post, the researchers revealed that the problem existed with Zoom Meeting IDs. They found that the Meeting IDs simply comprised of 9, 10, or 11 digits. Thus, it was possible for an adversary to guess the Meeting IDs via a simple brute force.

Then, to check the validity of a Meeting ID, the researchers noted that the following ‘div’ element:

“for url in urls:
yield MakeHTTPRequest(url=url, callback=parseResponse)
def MakeHTTPRequest(url, callback)
def parseResponse(response):
if response.css('div#join-errormsg').get() is None:
print('Valid Meeting ID found: {}'.format(response.url))
print('Invalid Meeting ID')

As stated in their post,

Thus, anyone using this trick could join a meeting when knowing its validity. This would then allow the adversary to listen to all the conversations and access files shared during the meeting.

Highlighting the possible impact of this vulnerability and the ease of exploit, the researchers stated,

You Might Also Like