Last summer reports about a serious vulnerability found in the macOS version of Zoom, software dedicated to video conferencing and mainly addressed to the professional sector. A problem solved in a few days by the release of a patch, also following Apple's intervention. Today by Check Point Research researchers the reporting of a new flaw related to the same program, fortunately already fixed by the developer.
Zoom, new security issue (solved)
This is a critical issue that can potentially allow anyone to identify a meeting in progress and take part in it. This is because the ID that distinguishes each individual conference is always made up of a 9, 10 or 11 digit number. If the organizer of the meeting does not explicitly require the participants to enter a password or does not activate the option to manually confirm their entry when connected (via a sort of waiting list), the risk is that by typing a random ID anyone can join the conversation.
Check Point Research has developed a method that can verify whether the ID entered in the browser for join a meeting corresponds to a meeting that is actually taking place or not, analyzing an element div in the HTML of the page shown when trying to connect by typing an address such as "https://zoom.us/j/8***34***9". In doing so, the researchers found a number of non-indifferences in their hands rooms with Zoom video conferencing in progress: a click would have been enough to enter it, unless the administrator had enabled the waiting list mentioned above or made it mandatory to enter the password.
Alerted by problem as early as last July (a few days after the report of the vulnerability mentioned at the beginning of the article), the software house has it Resolved putting his hand to the algorithm that generates the identification code of each meeting.