Zoom has fixed the issue stemming out from the lack of checks against the multiple incorrect passcode attempts. Security concern in Zoom was disclosed this week, which could have helped attackers to easily crack private meeting passcodes or snoop in on video conferences.
The problem, that has already been fixed, originated from Zoom, and not having adequate checks against repeated incorrect meeting password attempts. The numeric, six-digit passwords protect Zoom meetings and got added to Zoom meetings by default in April as an extra security measure to stop “Zoom bombers” from freely entering and hijacking meetings.
The issue was born from Zoom lacking a fair standard principle of password security, which is to limit password attempts. Put simply; this means that an attacker could repeat over a list of passwords and then leverage Zoom’s web client to continuously send across HTTP requests to attempt checking all the passwords – with no incorrect limits of attempt stopping them.
Upon reporting the issue to Zoom on April 1, the tech company took the web client offline to fix the problem by April 9. Anthony confirmed that Zoom appears to have mitigated the issue by both requiring adequate user logs in to join meetings for the web client, to update default meeting passwords to be longer and non-numeric.
Source: Threatpost
