Normal 0 false false false EN-US X-NONE X-NONE Check Point Research (security company) says in a report that they found security flaws in video conferencing platform Zoom that would have allowed a hacker to join a video meeting uninvited and accessing any files, data, or information shared during the session. Zoom has also disclosed the issue and concerns about the safety of videoconferencing apps that require access to microphones and cameras. Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants as a kind of unique address to locate and join a specific request. Company researchers found a way to predict which were valid meetings about 4 per cent of the time, and it was able to join some, says Yaniv Balmas, Check Point’s head of cyber research. Since Zoom conference calls can accommodate “tens of thousands” of participants in one meeting, according to the company’s May IPO, it would not be hard for an attacker to sneak into a Zoom call unannounced if there were no screening measures in place. Check Point didn’t find a way to connect a Zoom meeting ID with a specific user. So even if a bad actor gained access to a random meeting, they wouldn’t necessarily know whose meeting it was before they joined the call. The researchers didn’t find that someone accessing a Zoom meeting would have access to other users’ cameras or microphones. Check Point disclosed the vulnerability to Zoom, and it says the company responded quickly to fix the issue. It replaced the randomised generation of meeting ID numbers with a “cryptographically strong” one, added more digits to meeting ID numbers, and made requiring passwords the default for future meetings. (A Zoom call with Check Point to discuss the research did not need me to enter a password before joining, however.) It’s no longer possible to scan for random meeting IDs the way the Check Point researchers did; each attempt to join load a meeting page and repeated efforts to try to browse for meeting IDs temporarily block that device from the platform. A-Zoom spokesperson said the issue Check Point identified was addressed in August, adding that privacy and security of its users was its top priority. “We thank the Check Point team for sharing their research and collaborating with us,” the company said. San Jose-based Zoom, founded in 2011, has a market cap of just under $20 billion and customers in more than 180 countries. The company said during its third-quarter earnings announcement last month that its customer base included 74,000 businesses of the exact size, measured as a business with more than ten employees. Last summer, security researcher Jonathan Leitschuh discovered a zero-day vulnerability in Zoom on Macs that could have allowed a bad actor to hijack a user’s camera and live feed. The company eventually stopped using the local web server that created the vulnerability, but not after first defending it as a “low-risk” situation. Balmas said the Check Point researchers were explicitly focused on Zoom and its meeting ID numbers and did not investigate whether the vulnerability would be present in other video chat programs like Google Hangouts or Skype. But he cautioned that any videoconferencing platform has inherent risks, even if users take necessary safety precautions. “We didn’t look at [other videoconferencing platforms], but what we found here is a shout out to them,” he said. “You must look out for these kinds of things, for ways that unauthorized users can gain access, for any application that has access to your microphone or camera.”


Please enter your comment!
Please enter your name here

fifteen + twenty =