back to article Fun fact: If you noticed a while ago Zoom's web client going AWOL for a week, it's because someone found a passcode-cracking hole

Zoom has confirmed it fixed a vulnerability that could have been exploited by miscreants to crack the passcodes needed to access strangers' private chin-wagging. The video-conferencing biz said it addressed the weakness in its systems after the issue was discovered and privately reported by UK-based bug-hunter Tom Anthony. To …

  1. GrumpenKraut Silver badge

    Short visits, last week

    Zoom meeting last week supposedly only accessible for a group of registered people. There were second-long appearances with funny names like Sn00p3r. Has anyone observed similar things?

    1. Roland6 Silver badge

      Re: Short visits, last week

      > Has anyone observed similar things?

      Not when using the waiting room functionality.

      Mind you the big problem with Zoom is that it seems the passcodes are per user not per meeting - hence why the use of the waiting room functionality is essential.

    2. TeeCee Gold badge

      Re: Short visits, last week

      I think that's an old one and a user problem.

      1) User generates six digit passcode for meeting as described.

      2) User posts on farcebum or tw@ter "Iz joins heer for meet kids on Thu zoom 123456".

      3) Bored git sees post and has their willy make an appearance in said meeting.

      The fundamental security hole in Zoom is that it allows unvalidated attendees. If it were a "these email addresses and this passcode to join" thing, there'd be no problem. Unfortunately, lusers really like that "all u needs is my codes and is go heer" functionality and Zoom would be shooting their service in the head if they tightened things up.

      1. GrumpenKraut Silver badge
        Pint

        Re: Short visits, last week

        Oh. Thanks for both replies!

  2. Mike the FlyingRat
    Boffin

    Two issues...

    First, the fact that there wasn't a delay... (Common practice for most of this century)

    Second... This activity should have caused a monitor to flag the offending IP address launching these requests for a single meeting and then drop that IP address at the firewall for at least 24 hours and file an automated report.

    Both fairly simple to implement.

  3. MachDiamond Silver badge

    Solid as a lace curtain

    I see several stories a week about holes in Zoom. I was astounded to read an article that Princess Anne was teaching HRM how to use Zoom. With all of the tabloids gunning for the Royals, Zoom is probably a really bad idea for them to use.

  4. Claptrap314 Silver badge

    Get the very basics down

    These guys look like they took lessons from Microsoft regarding security...

  5. TrumpSlurp the Troll Silver badge

    Whatever happened

    To the reports that Zoom was profiling your machine and storing all sorts of information unrelated to the Zoom call?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020