|CERT-In Vulnerability Note
Information disclosure Vulnerability in Zoom
Original Issue Date:February 06, 2020
Severity Rating: MEDIUM
- Zoom Client version 4.6.4 and prior
A vulnerability has been reported in Zoom which could be exploited by a remote attacker to join meetings which are currently active leading to sensitive information disclosure.
This vulnerability exists in Zoom due to weak authentication methods used by Zoom during video conferencing. The video conference does not require a conference password, but only requires a meeting ID password of 9, 10 or 11 digits. A remote attacker could exploit this vulnerability by pre-generating a list of potential meeting IDs and prepare a URL string for joining a meeting which returned a response indicating "Valid Meeting ID found" if the ID was linked to an active conference or an "Invalid Meeting ID" for any inactivity.
Successful exploitation of this vulnerability could allow a remote attacker to join an active video conference and obtain access to sensitive information such as documents, presentations, etc.
Apply appropriate updates as mentioned by vendor:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003