I found a vulnerability related to the potential of Zoom Bomb

2020-06-29

2020-07-16

パスワード

/

Security

/

zoom

Abstract#

I found a security issue related to the strength of password authentication.
This can be attacked from a remote host and threaten confidentiality and availability of Zoom service.
CVSS score would be 6.5.
- CVSS<3>.0/AV/AC/PR/UI/S/C/I/A/E/RL/RC

When you create a meeting room in Zoom, a new room ID and password will be generated for you.
It will also generate a URL that contains the room’s ID and password information.
By accessing this URL, you will be able to access your meeting room in Zoom . (Example below. URL were valid in past times)

Zoom is the leader in modern enterprise cloud communications.

The 11 digits represents room ID and the pwd parameter in the query string represents password.
The 98459262939 part is the room ID. It looks like it’s probably issued by a sequential number.
The K1J6VjdFd2NpTWpaenJ6WE0zWml0QT09 in the pwd parameter of this URL represents the password.

This password is made up of a combination of upper and lower case letters and numbers.
The length of the character is 32 characters. Trailing two digits seems fixed.
Therefore, the pattern is (26+26+10)^30. (a-z, A-Z, 0-9)

However, Zoom’s server-side processing doesn’t make this case sensitive, so there are actually only (26+10)^30 combinations.

It was intended case sensitive but authentication program evaluate case insensitive.

Therefore, it’s probably 10^30 times weaker than the cryptographic strength Zoom is assuming.

The procedure in the video

Go to the correct URL
Access the pwd parameter with all the letters capitalized. It should be denied, but the password is accepted.

I sent an email to Zoom’s security insident contact, but the contact person didn’t understand it, so I wrote it on this blog.
It’s a common mistake in implementations. The storage engine (e.g. database) has this password and I believe the string is stored and evaluated by matching the pwd parameter in the URL. However, since the storage engine is not case sensitive, the authentication passes. This is a common mistake at the implementation level.
Even if the cryptographic strength is weakened by a factor of 10^30, it is still strong enough, so this is not a big deal for the security in the most cases.