Security News > 2020 > July > Vulnerability Allowed Brute-Forcing Passwords of Private Zoom Meetings
A vulnerability that Zoom addressed in its web client could have allowed an attacker to join private meetings by brute-forcing the passcode.
Related to the lack of a limitation to the number of attempts allowed for checking the correct password for a meeting, the vulnerability could have allowed an attacker to join private meetings by simply trying all of the possible combinations.
The vulnerability was the result of a combination of factors, such as Zoom meetings being protected by default with 6-digit passcodes, no limit to the number of failed attempts to enter the correct code, and a broken cross-site request forgery protection in the web client.
"This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people's private Zoom meetings," Anthony explains.
"Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users' security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention. If you think you've found a security issue with Zoom products, please send a detailed report to ," a Zoom spokesperson told SecurityWeek.