Don’t Let Zombie Zoom Links Drag You Down – Krebs on Security

Created on November 12, 2023 at 11:17 am

Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom PRODUCT video conference meeting as a valid employee. These company-specific Zoom ORG links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.

At issue is the Zoom Personal Meeting ID ORG (PMI), which is a permanent identification number linked to your Zoom ORG account and serves as your personal meeting room available around the clock. The PMI ORG portion forms part of each new meeting URL created by that account, such as:

zoom.us/j/5551112222

Zoom PERSON has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:

zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll CARDINAL

Using your PMI ORG to set up new meetings is convenient, but of course convenience often comes at the expense of security. Because the PMI ORG remains the same for all meetings, anyone with your PMI ORG link can join any ongoing meeting unless you have locked the meeting or activated Zoom ORG ’s Waiting Room WORK_OF_ART feature.

Including an encrypted passcode in the Zoom ORG link definitely makes it easier for attendees to join, but it might open your meetings to unwanted intruders if not handled responsibly. Particularly if that Zoom ORG link is somehow indexed by Google ORG or some other search engine, which happens to be the case for thousands CARDINAL of organizations.

Armed with one CARDINAL of these links, an attacker can create meetings and invite others using the identity of the authorized employee. And many companies using Zoom ORG have made it easy to find recently created meeting links that include encrypted passcodes, because they have dedicated subdomains at Zoom.us. GPE

Using the same method, KrebsOnSecurity ORG also found working Zoom ORG meeting links for The National Football League ORG ( NFL ORG ), LinkedIn ORG , Oracle ORG , Humana ORG , Disney ORG , Warner Bros ORG , and Uber ORG . And that was from just a few minutes TIME of searching. And to illustrate the persistence of some of these Zoom ORG links, Archive.org ORG says several of the links were first ORDINAL created as far back as 2020 DATE and 2021 DATE .

KrebsOnSecurity ORG received a tip about the Zoom exposures from Charan Akiri PERSON , a researcher and security engineer at Reddit ORG . In April 2023 DATE , this site featured research by Akiri ORG showing that many public Salesforce websites were leaking private data, including banks and healthcare organizations ( Akiri ORG said Salesforce ORG also had these open Zoom ORG meeting links before he notified them).

Akiri ORG said the misuse of PMI ORG links, particularly those with passcodes embedded, can give unauthorized individuals access to meetings.

“These one CARDINAL -click links, which are not subject to expiration or password requirement, can be exploited by attackers for impersonation,” Akiri ORG said. “Attackers exploiting these vulnerabilities can impersonate companies, initiating meetings unknowingly to users. They can contact other employees or customers while posing as the company, gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.”

Akiri ORG said he built a simple program to crawl the web for working Zoom ORG meeting links from different organizations, and so far it has identified thousands CARDINAL of organizations with these perfectly functional zombie Zoom links.

According to Akiri ORG , here are several tips for using Zoom ORG links more safely:

Don’t Use Personal Meeting ID for Public Meetings: Your Personal Meeting ID ( PMI ORG ) is the default meeting that launches when you start an ad hoc meeting. Your PMI ORG doesn’t change unless you change it yourself, which makes it very useful if people need a way to reach you. But for public meetings, you should always schedule new meetings with randomly generated meeting IDs. That way, only invited attendees will know how to join your meeting. You can also turn off your PMI ORG when starting an instant meeting in your profile settings.

Require a Passcode to Join: You can take meeting security even further by requiring a passcode to join your meetings. This feature can be applied to both your Personal Meeting ID, so only those with the passcode will be able to reach you, and to newly scheduled meetings. To learn all the ways to add a passcode for your meetings, see this support article.

Only Allow Registered or Domain Verified Users: Zoom can also give you peace of mind by letting you know exactly who will be attending your meeting. When scheduling a meeting, you can require attendees to register with their email, name, and custom questions. You can even customize your registration page with a banner and logo. By default, Zoom ORG also restricts participants to those who are logged into Zoom ORG , and you can even restrict it to Zoom ORG users whose email address uses a certain domain.

Further reading: How to Keep Uninvited Guests Out of Your Zoom Meeting

Update 12:33 p.m. TIME : The list of affected organizations was updated, because several companies listed apparently only exposed links that let anyone connect to existing, always-on meeting rooms — not initiate and completely control a Zoom ORG meeting. The real danger with the zombie links described above is that anyone can find and use them to create new meetings and invite others.

Connecting to blog.lzomedia.com... Connected... Page load complete