Video-conferencing outfit Zoom had a vulnerability in its URL scheme that miscreants could exploit to eavesdrop on private meetings.
That's according to infosec biz Check Point, which says it found snoops could brute-force their way into Zoom-hosted virtual meetings that were not secured by a password.
Hackers would just need to generate a list of 9, 10, or 11-digit meeting IDs, and check whether they were valid or not. If they got a hit, the spies could then eavesdrop on the conferences, and access all the video, audio and documents shared throughout the sessions, although this was only if no password were set.
"The problem was that if you hadn't enabled the 'Require meetings password' option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting," Check Point noted in an advisory shared with The Register ahead of its publication today.
Cisco Webex bug allowed anyone to join a password-protected meetingREAD MORE
The firm reckoned that around 4 per cent of randomly generated meeting IDs led to genuine Zoom meetings. That may not sound like much, but Check Point says it represents a "very high chance of success" compared to brute-force attacks on more secure systems.
Zoom, which went public last year in April at a valuation of $16bn, was founded in 2011 by Eric Yuan, a former engineer at Cisco-acquired web-conferencing firm Webex. Cisco disclosed Webex's own freshly patched bug just days ago in a security advisory.
"Zoom is a hugely popular for business meetings, which are often about highly sensitive commercial or legal issues – yet our research showed how a hacker could easily access random Zoom meetings and eavesdrop on the meetings and eavesdrop on the meetings' discussion and material," said Oded Vanunu, head of product vulnerability research at Check Point.
According to Zoom, its conferencing software is used by "millions", including 60 per cent of Fortune 500 companies. In its most recent reported quarter, Q3 2020, ended 31 October 2019, the company posted net income of $2.2m, compared with a loss of $598,000 for the same period a year ago. Revenue grew 85 per cent to $166.6m – though investors are moaning that this represents a slowing of growth.
Researchers disclosed the security flaw to Zoom on 22 June last year. As a result, Zoom patched the security weakness and released a series of fixes, which included requiring users to set passwords on all future meetings, and blocking devices that repeatedly try to scan for meeting IDs.
In response to this story, a Zoom spokesperson said: "The privacy and security of Zoom's users is our top priority. The issue was addressed in August of 2019, and we have continued to add additional features and functionalities to further strengthen our platform."
The company came under fire last year for installing a hidden web server on Macs, which enabled hackers to pull unsuspecting users into a call by embedding a Zoom link into a website. Both Zoom and Apple released a fix shortly afterwards. ®