Abstract
- I found a security issue related to the strength of password authentication.
- This can be attacked from a remote host and threaten confidentiality and availability of Zoom service.
- CVSS score would be 6.5.
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:H/RL:O/RC:R
Background
- When you create a meeting room in Zoom, a new room ID and password will be generated for you.
- It will also generate a URL that contains the room’s ID and password information.
- By accessing this URL, you will be able to access your meeting room in Zoom . (Example below. URL were valid in past times)
https://zoom.us/j/98459262939?pwd=K1J6VjdFd2NpTWpaenJ6WE0zWml0QT09
- The 11 digits represents room ID and the
pwd
parameter in the query string represents password. - The
98459262939
part is the room ID. It looks like it’s probably issued by a sequential number. - The
K1J6VjdFd2NpTWpaenJ6WE0zWml0QT09
in the pwd parameter of this URL represents the password.
Issue
- This password is made up of a combination of upper and lower case letters and numbers.
- The length of the character is 32 characters. Trailing two digits seems fixed.
- Therefore, the pattern is (26+26+10)^30. (a-z, A-Z, 0-9)
However, Zoom’s server-side processing doesn’t make this case sensitive, so there are actually only (26+10)^30 combinations. (=It was intended case sensitive but authentication program evaluate case insensitive.)
Therefore, it’s probably 10^30 times weaker than the cryptographic strength Zoom is assuming.
Recording of the procedure
The procedure in the video
- Go to the correct URL
- Access the pwd parameter with all the letters capitalized. It should be denied, but the password is accepted.
My thought
- I sent an email to Zoom’s security insident contact, but the contact person didn’t understand it, so I wrote it on this blog.
- It’s a common mistake in implementations, and the storage engine (e.g. database) has this password and I believe the string is stored and evaluated by matching the pwd parameter in the URL, and However, since the storage engine is not case sensitive, the authentication passes. However, since the storage engine is not case sensitive, the authentication is passed and the We believe that there are. This is a common mistake at the implementation level.
- Even if the cryptographic strength is weakened by a factor of 10^30, it is still strong enough, so this is not a big deal for the security in the most cases.
2020/7/2
- This issue has been fixed by zoom after I submitted this report to Zoom.
- There is no response from Zoom.
Comments