Check Point Research revealed Tuesday that it discovered the eavesdropping hack that impacted "scores" of video meetings on Zoom, which has more than 74,000 customers and is used by 60 percent of the Fortune 500 and more than 96 percent of the country's top colleges, according to Check Point.
"Zoom is one of the most popular video call applications, and these kinds of apps became so easy to use in the past year. But it's a double-edged sword because they also pose security concerns," Check Point head of Cyber Security Research Yaniv Balmas told FOX Business.
"These security concerns should be visible and people should know about them," he added.
The hack left Zoom vulnerable to bad actors who could have "easily" created and verified their own Zoom Meeting IDs to eavesdrop on victims' meetings. Hackers had access to all audio, video and documents shared throughout these video meetings, Check Point found.
"If you want to join a Zoom meeting, you need a nine to thirteen-digit Zoom ID," Balmas explained. "If you want to join a meeting, you shouldn't be able to guess that ID."
Check Point researchers, however, discovered a way to guess Zoom IDs by generating a number of potential ID combinations using "automation techniques" until they reached a verified ID, which allowed them to join meetings that were not password protected. Check Point was able to join the meeting pages of conference calls hosted by team members with Victoria's Secret and HBO, Balmas explained.
It is unclear whether bad actors have actually used this vulnerability to eavesdrop on conference calls, but Check Point's research helped highlight the issue for Zoom, which subsequently made security updates to the app.
Check Point first notified Zoom about the issue in July.
The video app's latest security changes made it September. include default passwords, password additions, account and group-level password enforcement, meeting ID verification and a blocking tool, Check Point reported. The research company and Zoom made a coordinated effort to release the news on Tuesday so that Zoom had enough time to make fixes before the news was reported so hackers would not attempt to take advantage of the vulnerability before the app was updated.
"The privacy and security of Zoom's users is our top priority. The issue was addressed in August of 2019, and we have continued to add additional features and functionalities to further strengthen our platform. We thank the Check Point team for sharing their research and collaborating with us," a Zoom spokesperson told FOX Business.
Zoom made security updates in June after a similar hack that allowed bad actors to gain access to Mac users' cameras through the app was discovered in March. It took Zoom months to make a "quick fix" to the app after being notified, Gradle Inc. Security Researcher software engineer Jonathan Leitschuh wrote in a Medium post.
"Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack," Leitschuh wrote in the post.
Balmas said Zoom was very cooperative and "responded well" to Check Point's research.
"Software has bugs, and Zoom is no exception," Balmas said.