Passwords for accessing private meetings in Zoom can be easily decrypted: New vulnerability found

Zoom is arguably the most popular video conferencing platform today, although the increase in its popularity has also generated security issues, security testing course experts mentioned. The developers of the platform have just fixed a flaw that would allow threat actors to decrypt the code used to access a group session, exposing users to spying activities.   

Zoom sessions are protected by a six-digit password by default; however, Tom Anthony, researcher at SearchPilot, say that a weakness in this mechanism allows threat actors to perform dictionary attacks with all possible combinations of numbers and decrypt a password in a matter of a few minutes. 

The researcher reported the problem last April, attaching to his report a proof of concept based on Python, so the flaw was corrected a few days later. It should be noted that a six-digit password allows a total of one million possible combinations, which represents a minimal obstacle for hackers with sufficient knowledge and resources, as security testing course experts mentioned.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es zoom30072020.jpg
SOURCE: Tom Anthony

Zoom security teams forgot to set a maximum of attempts to enter the password, so threat actors could leverage Zoom’s web client ( to send constant HTTP requests and decrypt the password.

In his proof of concept, the researcher proved able to access ongoing meetings once the password was decrypted. In addition, Anthony found that an identical procedure could be performed to access Zoom sessions scheduled for later hours, although this requires a list of 10 million possible combinations.

In addition, security testing course experts reported an error during the login detected when using the web client, which uses a temporary redirect to request customer consent about their terms of service. The token flaw could make it easier to exploit other malicious login mechanisms.

For security, Zoom disabled its web client until updates were released. The developers of the platform have recently worked on forced marches to correct all the reports they receive; while some of the issues reported to the company do not pose a risk to users, some flaws could compromise the sensitive information circulating on the platform.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.