In this manner, researchers were able to predict 4 percent of randomly generated meeting IDs, “which is a very high chance of success.”Īn actual attack has some caveats. Specifically, the “div” element of the output shows whether a meeting ID is valid or not: “We discovered a fast and easy way to check this based on the following ‘div’ element present in the HTML Body of the returned response, when accessing ‘Join Meeting’ URL,” researchers said. If they paired an ID against the “Join Meeting” URL and it was incorrect, the output would say “invalid Meeting ID ” however, if a valid meeting ID was found, the output would say “Valid Meeting ID found” and list the meeting for which it was validated. They then took the random IDs and checked them against the URL string used for joining Zoom meetings ((). Researchers were able to pre-generate a list of 1,000 randomly-generated, potentially valid meeting IDs. “An adversary with intermediate skills could unlock this attack.” Predicting Meeting IDs “Brute forcing this range is very hard is you have no feedback from Zoom, but Zoom made a mistake where a tag would identify if meeting IDs are valid or not when users input meeting IDs to the meeting URL,” Yaniv Balmas, head of cyber research for Check Point Software, told Threatpost. This could open the door to third-party actors eventually being able to guess a meeting ID and enter a conferencing session, said researchers with Check Point Software that presented the research.
The report revealed that it’s possible to correctly predict valid meeting IDs, due to Zoom identifying meeting IDs as “valid” or “invalid” when they are input into the meeting URL. Research unveiled the research Tuesday here at CPX 360, a security event hosted by Check Point Security. If meeting creators do not enable a “meeting password,” the only thing securing the meetings are Meeting IDs, which are 9, 10, or 11 digit meeting identifying numbers. The issue stems from Zoom’s conference meetings not requiring a “meeting password” by default, which is a password assigned to Zoom attendees for what is calls a meeting room.
NEW ORLEANS – Enterprise video conferencing firm Zoom has issued a bevy of security fixes after researchers said the company’s platform used weak authentication that made it possible for adversaries to join active meetings.
0 kommentar(er)
