SearchPilot Specialist, Tom Anthony discoveredthat the password for Zoom conferences could be brute-force.
The fact is that since April of this year, Zoom protects all conferences with a mandatory six-digit numeric password. The company introduced such a measure of protection because of the so-called Zoom-Bombing. Prior to the introduction of this measure, third parties often joined Zoom video conferencing (online lessons, business meetings, etc.) in order to disrupt the meeting or just make a joke. Often later, recordings of such pranks appeared and spread on social networks.
Anthony explains that he found a CSRF bug, there are no restrictions on the number of password attempts, as well as the speed of brute force. As a result, it turned out that you only need to sort out a million possible combinations (from 000000 to 999999). With 4-5 cloud servers, this could be done in a matter of minutes via the web client (and the address in the format https://zoom.us/j/MEETING_ID), continuously sending HTTP requests.
The specialist also writes that the same procedure could be repeated for scheduled conferences, for which it is possible to change the default password to a longer alphanumeric version. In this case, it was possible to quickly sort out 10,000,000 of the most popular passwords.
The researcher discovered the problem back in April 1, 2020, shortly after the introduction of password protection. He notified the Zoom engineers of the error by attaching a PoC exploit written in Python to his report. A specialist tool could crack a six-digit password in about 25 minutes from one computer. If more machines or the capacity of cloud servers were connected to the case, the time for hacking was reduced to a couple of minutes. To fix the bug, the developers were forced to temporarily disable the Zoom web client, and on April 9, they fixed the problem.