Don’t Let Zombie Zoom Links Drag You Down – Krebs on Security

By admin
Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a

Zoom
PRODUCT

video conference meeting as a valid employee. These company-specific

Zoom
ORG

links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.

At issue is

the Zoom Personal Meeting ID
ORG

(PMI), which is a permanent identification number linked to your

Zoom
ORG

account and serves as your personal meeting room available around the clock. The

PMI
ORG

portion forms part of each new meeting URL created by that account, such as:


zoom.us/j/5551112222

Zoom
PERSON

has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:


zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll
CARDINAL

Using your

PMI
ORG

to set up new meetings is convenient, but of course convenience often comes at the expense of security. Because the

PMI
ORG

remains the same for all meetings, anyone with your

PMI
ORG

link can join any ongoing meeting unless you have locked the meeting or activated

Zoom
ORG

’s

Waiting Room
WORK_OF_ART

feature.

Including an encrypted passcode in the

Zoom
ORG

link definitely makes it easier for attendees to join, but it might open your meetings to unwanted intruders if not handled responsibly. Particularly if that

Zoom
ORG

link is somehow indexed by

Google
ORG

or some other search engine, which happens to be the case for

thousands
CARDINAL

of organizations.

Armed with

one
CARDINAL

of these links, an attacker can create meetings and invite others using the identity of the authorized employee. And many companies using

Zoom
ORG

have made it easy to find recently created meeting links that include encrypted passcodes, because they have dedicated subdomains at

Zoom.us.
GPE

Using the same method,

KrebsOnSecurity
ORG

also found working

Zoom
ORG

meeting links for

The National Football League
ORG

(

NFL
ORG

),

LinkedIn
ORG

,

Oracle
ORG

,

Humana
ORG

,

Disney
ORG

,

Warner Bros
ORG

, and

Uber
ORG

. And that was from

just a few minutes
TIME

of searching. And to illustrate the persistence of some of these

Zoom
ORG

links,

Archive.org
ORG

says several of the links were

first
ORDINAL

created as far back as

2020
DATE

and

2021
DATE

.


KrebsOnSecurity
ORG

received a tip about the Zoom exposures from

Charan Akiri
PERSON

, a researcher and security engineer at

Reddit
ORG

. In

April 2023
DATE

, this site featured research by

Akiri
ORG

showing that many public Salesforce websites were leaking private data, including banks and healthcare organizations (

Akiri
ORG

said

Salesforce
ORG

also had these open

Zoom
ORG

meeting links before he notified them).


Akiri
ORG

said the misuse of

PMI
ORG

links, particularly those with passcodes embedded, can give unauthorized individuals access to meetings.

“These

one
CARDINAL

-click links, which are not subject to expiration or password requirement, can be exploited by attackers for impersonation,”

Akiri
ORG

said. “Attackers exploiting these vulnerabilities can impersonate companies, initiating meetings unknowingly to users. They can contact other employees or customers while posing as the company, gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.”


Akiri
ORG

said he built a simple program to crawl the web for working

Zoom
ORG

meeting links from different organizations, and so far it has identified

thousands
CARDINAL

of organizations with these perfectly functional zombie Zoom links.

According to

Akiri
ORG

, here are several tips for using

Zoom
ORG

links more safely:

Don’t Use Personal Meeting ID for Public Meetings: Your Personal Meeting ID (

PMI
ORG

) is the default meeting that launches when you start an ad hoc meeting. Your

PMI
ORG

doesn’t change unless you change it yourself, which makes it very useful if people need a way to reach you. But for public meetings, you should always schedule new meetings with randomly generated meeting IDs. That way, only invited attendees will know how to join your meeting. You can also turn off your

PMI
ORG

when starting an instant meeting in your profile settings.

Require a Passcode to Join: You can take meeting security even further by requiring a passcode to join your meetings. This feature can be applied to both your Personal Meeting ID, so only those with the passcode will be able to reach you, and to newly scheduled meetings. To learn all the ways to add a passcode for your meetings, see this support article.

Only Allow Registered or Domain Verified Users: Zoom can also give you peace of mind by letting you know exactly who will be attending your meeting. When scheduling a meeting, you can require attendees to register with their email, name, and custom questions. You can even customize your registration page with a banner and logo. By default,

Zoom
ORG

also restricts participants to those who are logged into

Zoom
ORG

, and you can even restrict it to

Zoom
ORG

users whose email address uses a certain domain.

Further reading: How to Keep Uninvited Guests Out of Your Zoom Meeting

Update

12:33 p.m.
TIME

: The list of affected organizations was updated, because several companies listed apparently only exposed links that let anyone connect to existing, always-on meeting rooms — not initiate and completely control a

Zoom
ORG

meeting. The real danger with the zombie links described above is that anyone can find and use them to create new meetings and invite others.