Zoom squashed a bug that left private meetings unprotected

Corporate conferencing software provider Zoom patched a security flaw that could have enabled hackers to spy on private meetings, the company says.

Check Point Software Technologies, the Israel-based security vendor, said Tuesday it uncovered the security vulnerability last year and alerted Zoom, which fixed the issue in an August software update. Attackers could have exploited the bug by creating a list of nine, 10 or 11-digit meeting identification numbers, then enter any meeting in those sessions that wasn’t protected by a password. If a user had failed to require a password to their conference, the meeting ID number would have been the only thing safeguarding the conversation from eavesdroppers, Check Point said.

In response, Zoom updated its policies to add password to all scheduled meetings by default, make it more difficult for attackers to view meetings they might try to infiltrate and block devices that repeatedly scan for meeting IDs.

This issue is distinct from another flaw detailed by a security researcher last year that would have made it possible for a hacker to activate a Zoom user’s camera or disrupt their connection with a denial-of-service attack. The researcher, Jonathan Leitschuh, of the engineering firm Gradle, went public with his findings in July, meaning Zoom was working to mitigate both of these vulnerabilities around the same time in summer 2019.

Discovery of these issues coincided with a period of explosive growth for Zoom.

Based in San Jose, California, the video conferencing company experienced 76% year-over-year growth in terms of app installations, according to an analysis published Tuesday by the identity management firm Okta. Over the past three years, Zoom adoption has grown by 876%, according to Okta’s most recent poll of 7,400 clients, while second-place Cisco Webex grew by 91% over the same period.

Zoom went public in April. It projected total revenue between $609 million and $610 million in 2020.