Check Point Research (security company) says in a report that they found
security flaws in video conferencing platform Zoom that would have allowed a
hacker to join a video meeting uninvited and accessing any files, data, or
information shared during the session. Zoom has also disclosed the issue and
concerns about the safety of videoconferencing apps that require access to
microphones and cameras.
Each Zoom call has a randomly generated ID number between 9 and 11 digits
long that’s used by participants as a kind of unique address to locate and join
a specific request. Company researchers found a way to predict which were valid
meetings about 4 per cent of the time, and it was able to join some, says Yaniv
Balmas, Check Point’s head of cyber research.
Since Zoom conference calls can accommodate “tens of thousands” of
participants in one meeting, according to the company’s May IPO, it would
not be hard for an attacker to sneak into a Zoom call unannounced if there were
no screening measures in place.
Check Point didn’t find a way to connect a Zoom meeting ID with a specific
user. So even if a bad actor gained access to a random meeting, they wouldn’t
necessarily know whose meeting it was before they joined the call. The
researchers didn’t find that someone accessing a Zoom meeting would have access
to other users’ cameras or microphones.
Check Point disclosed the vulnerability to Zoom, and it says the company
responded quickly to fix the issue. It replaced the randomised generation of
meeting ID numbers with a “cryptographically strong” one, added more digits to
meeting ID numbers, and made requiring passwords the default for future
meetings. (A Zoom call with Check Point to discuss the research did not need me
to enter a password before joining, however.)
It’s no longer possible to scan for random meeting IDs the way the Check
Point researchers did; each attempt to join load a meeting page and repeated
efforts to try to browse for meeting IDs temporarily block that device from the
A-Zoom spokesperson said the issue Check Point identified was addressed in
August, adding that privacy and security of its users was its top priority. “We
thank the Check Point team for sharing their research and collaborating with
us,” the company said.
San Jose-based Zoom, founded in 2011, has a market cap of just under $20
billion and customers in more than 180 countries. The company said during
its third-quarter earnings announcement last month that its customer
base included 74,000 businesses of the exact size, measured as a business with
more than ten employees.
Last summer, security researcher Jonathan Leitschuh discovered a
zero-day vulnerability in Zoom on Macs that could have allowed a bad actor
to hijack a user’s camera and live feed. The company eventually stopped using
the local web server that created the vulnerability, but not after first
defending it as a “low-risk” situation.
Balmas said the Check Point researchers were explicitly focused on Zoom and
its meeting ID numbers and did not investigate whether the vulnerability would
be present in other video chat programs like Google Hangouts or Skype. But he
cautioned that any videoconferencing platform has inherent risks, even if users
take necessary safety precautions.
“We didn’t look at [other videoconferencing platforms], but what we found
here is a shout out to them,” he said. “You must look out for these kinds of
things, for ways that unauthorized users can gain access, for any application
that has access to your microphone or camera.”