Zoom security flaw meant random people could have spied on your calls

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

A security flaw with Zoom meant hackers could enter password-protected calls "in a matter of minutes", a researcher has revealed.

The issue stemmed from a lack of limits on the number of times a password could be attempted on private meetings.

Video chats were protected by default by a 6 digit password, meaning there were 1 million possibilities. Attackers could therefore brute force all the different combinations relatively quickly and easily.

The vulnerability was discovered by Tom Anthony, vice president of Product at SEO firm SearchPilot, who first reported it to Zoom on 1 April.

Details of the exploit were only publicly disclosed on Wednesday, though Zoom said that the issue was mitigated on 9 April, meaning any calls after that date were no longer vulnerable.

There is no evidence that the security flaw was used by hackers, but the nature of such attacks mean it would be nearly impossible to find out.

Mr Anthony suggests it could have been used in highly-confidential meetings that took place over the video chat platform during lockdown measures introduced in late March to contain the coronavirus pandemic.

"On 31 March, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID," Mr Anthony wrote in a blog post detailing the bug.

"I noted in Boris Johnson's screenshot that there is a user simply called 'iPhone' that is muted with the camera off. It got me wondering whether this flaw has previously been found - if I could discover it then it seems plausible that others could too, which makes this bug particularly worrisome."

It is the latest in a series of issues with the platform, which saw a trend known as 'Zoombombing' emerge in March and April, whereby people would enter video calls uninvited.

In the most severe instances, participants were subjected to footage of child sex abuse.

In response to the latest disclosure, a spokesperson for Zoom told The Independent: “Upon learning of this issue we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations.

"We have since improved rate limiting... and relaunched the web client on 9 April. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild."