By 
Check Point security researchers have found that a flaw in the Zoom online meeting system could let cyberthieves snoop on meetings and see all shared content.
Zoom is a platform that offers video conferencing with real-time messaging and content sharing. It includes support for both desktop and mobile devices and offers end-to-end encryption for meetings and team chats.
Check Point says that the exposed flaw was that in some cases a meeting would only be secured with the Zoom Meeting ID, which is composed of 9, 10 or 11 digits.
Susceptible circumstances, the researchers say, include those where the “Require meeting password” option wasn’t enabled, or when there was no Waiting Room enabled, for the manual admission of participants.
Check Point’s security investigators exposed that an attacker could forecast Meeting IDs and possibly join active meetings.
The investigators produced several possibly valid Zoom Meeting IDs and prepared the URL string for joining the meetings, and then check whether the IDs were effective or not.
“We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force,” Check Point explains.
The researchers revealed the problem to Zoom in July 2019 and in September the company made several changes to its client/infrastructure to remove the susceptibility.
Zoom now needs a password when scheduling new meetings, for immediate meetings, and for Personal Meeting ID (PMI).
Additionally, Zoom will no longer automatically specify if a meeting ID is valid or invalid. Instead, the page loads and attempts to join the meeting, which raises the time an attacker needs to find a valid meeting.