A flaw in Webex and Zoom let researchers snoop on users’ video calls

A team of security researchers found they could tap into Webex and Zoom video meetings because many weren’t protected with a code.

Researchers at Cequence, a startup focused on protecting applications from scraping and account takeovers, programmed a bot to cycle through lists of valid meeting IDs and get access to active conference calls. The vulnerability works because many companies and users don’t protect their meetings with a password, either for convenience or they had not checked their default settings, coupled with a limited pool of meeting IDs.

By targeting the platforms’ APIs, they were able to automate the process.

The researchers reported the flaws to both Cisco, which owns Webex, and Zoom in July. Both companies have since pushed out fixes.

The attack would not be silent, however: callers who successfully access a meeting are announced.

Cisco said it was “not aware” of any malicious exploitation of the vulnerability on its platform. Zoom said it was “grateful” to the researchers, adding that it improved its server protections to prevent bot attacks.

Zoom caught flack in July when it failed to remove a web server from Macs when users uninstalled the app, causing a security scare. The company fixed the issue, but Apple was later forced to intervene to ensure all Mac users were protected.

Cequence earlier this year secured $17 million in its Series B backed by Dell Technologies Capital and Shasta Ventures, bringing the total raised to $30 million.

Apple has pushed a silent Mac update to remove hidden Zoom web server