Zoom flaw could have let anyone hijack video conference calls
Zoom, the favorite video calling solution for enterprises all over the world, had suffered from a critical security flaw. The issue, first detected by the researchers at cybersecurity firm Check Point, opened a way for hackers to hijack ongoing video conference calls and eavesdrop on private meetings and conversations of people. Here are more details.
URL-based virtual conference feature exploited
During an analysis of Zoom, the researchers at Check Point noted a flaw in the service's biggest feature - the ability to join video conference rooms through special links. The capability worked fine on its part, but the researchers found that randomly-generated meet room IDs (using certain automated tools) could actually match with genuine ones and give unauthorized access to meetings.
Real meetings accessed 4% of the time
In a test, the researchers were able to use randomly-generated meeting IDs to access actual Zoom conferences 4% of the time. The hack couldn't be used to target specific chat-rooms and members would notice the unknown connection. But, if the attacker had found a meeting with plenty of people, it wouldn't have been hard to listen in on the conversation without getting noticed.
Now, this posed a major security threat
The hack highlighted by Check Point posed a major threat to the security of Zoom's entire user-base, which mainly includes enterprise users. In fact, if we go solely by numbers, the platform is used by more than 60% of Fortune 500 companies and over 96% of the top 200 universities in the US. The risk of confidential information leak was just way too high.
Zoom fixed the vulnerability in August 2019
Check Point informed Zoom about the vulnerability, prompting the company to quickly issue a security update for the service. The video-calling giant also launched the ability to add passwords by default while scheduling meetings, as well as it disabled the ability to randomly scan for meetings to join. However, it remains unclear if anybody else exploited the bug before it was patched.
Here's what Zoom's spokesperson said on the matter
"The privacy and security of Zoom's users is our top priority. The issue was addressed in August of 2019, and we have continued to add additional features and functionalities to further strengthen our platform. We thank the Check Point team for sharing their research."