Fun fact: If you noticed a while ago Zoom's web client going AWOL for a week, it's because someone found a passcode-cracking hole Zoom has confirmed it fixed a vulnerability that could have been exploited by miscreants to crack the passcodes needed to access strangers' private chin-wagging. The video-conferencing biz said it addressed the weakness in its systems after the issue was discovered and privately reported by UK-based bug-hunter Tom Anthony. To …
I think that's an old one and a user problem.
1) User generates six digit passcode for meeting as described.
2) User posts on farcebum or tw@ter "Iz joins heer for meet kids on Thu zoom 123456".
3) Bored git sees post and has their willy make an appearance in said meeting.
The fundamental security hole in Zoom is that it allows unvalidated attendees. If it were a "these email addresses and this passcode to join" thing, there'd be no problem. Unfortunately, lusers really like that "all u needs is my codes and is go heer" functionality and Zoom would be shooting their service in the head if they tightened things up.
First, the fact that there wasn't a delay... (Common practice for most of this century)
Second... This activity should have caused a monitor to flag the offending IP address launching these requests for a single meeting and then drop that IP address at the firewall for at least 24 hours and file an automated report.
Both fairly simple to implement.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
