9/20/2023 0 Comments Zoom meeting id and password list![]() ![]() Over the next couple of days, I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting. Having also tried to join, I thought I would see if I could crack the password for private Zoom meetings. Twitter was alive with people saying they were trying to join, but Zoom protects meetings with a password by default (which was pointed out when the Government defended using Zoom). I was amongst many who noticed that the screenshot included the Zoom Meeting ID. On March 31st, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. They seem to have mitigated it by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer. I reported the issue to Zoom, who quickly took the web client offline to fix the problem. This also raises the troubling question as to whether others were potentially already using this vulnerability to listen in to other people’s calls (e.g. This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings. I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting. Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |