- Report: Zoom’s Waiting Room Vulnerability
- Date Published: April 8, 2020
Zoom for Mac, Linux, and Windows < 4.6.10
If a Zoom host enables the waiting room feature for a meeting, then the host must vet potential attendees before they are allowed into the meeting. Prospective attendees in the waiting room see a blank screen with a message: “Please wait, the meeting host will let you in soon” (Figure 1). If the meeting host approves the attendee, then they will be admitted to the meeting. We discovered that unapproved users in a Zoom waiting room had access to the meeting’s AES-128 key, as well as a live video stream (but not an audio stream) of the meeting. Though this video stream was not displayed in the Zoom UI, an unapproved user could have extracted and decrypted the video from their Internet traffic
Unapproved users would be able decrypt video of private calls without authorization.
- Apr 8th, 2020 - report published