Numerous organizations, including several Fortune 500 companies, have inadvertently exposed web links that enable anyone to initiate a Zoom video conference meeting on behalf of a valid employee. These company-specific Zoom links, which possess a permanent user ID number and an embedded passcode, have the potential to open up an organization’s employees, customers, or partners to phishing and other social engineering attacks.
The focal point of concern revolves around the Zoom Personal Meeting ID (PMI), an unchanging identification number permanently linked to a Zoom account. This PMI serves as the individual’s personal meeting room, accessible at all times. Each new meeting URL generated by this account includes the PMI. For example, a meeting URL may look like this: zoom.us/j/5551112222.
Zoom offers an option to incorporate an encrypted passcode within a meeting invitation link, simplifying the joining process for attendees by eliminating the need to manually enter a passcode. Consequently, a link with an encrypted passcode may appear as follows: zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll.
While utilizing the PMI to establish new meetings may be convenient, it often compromises security. Since the PMI remains constant for all meetings, anyone possessing the PMI link can join any ongoing meeting, provided it has not been locked or secured using Zoom’s Waiting Room feature.
Including an encrypted passcode in the Zoom link enhances ease of access; however, it may inadvertently invite unwanted intruders if not handled responsibly. This is particularly evident if the Zoom link happens to be indexed by Google or other search engines. Unfortunately, this is the case for thousands of organizations.
With one of these exposed links, an attacker can create meetings and invite others while masquerading as an authorized employee. The subdomains dedicated to Zoom.us often enable easy access to recently created meeting links that contain encrypted passcodes. This vulnerability affects various organizations, including The National Football League (NFL), LinkedIn, Oracle, Humana, Disney, Warner Bros, and Uber, as revealed by KrebsOnSecurity.
To emphasize the persistence of these Zoom links, several links were first created as far back as 2020 and 2021, as confirmed by Archive.org. This discovery was triggered by a tip received by KrebsOnSecurity from Charan Akiri, a researcher and security engineer at Reddit. Akiri had previously unveiled the exposure of confidential data on many public Salesforce websites, including those of banks and healthcare organizations. Notably, Salesforce had also exposed open Zoom meeting links before Akiri notified them.
Akiri stressed that the misuse of PMI links, particularly those with embedded passcodes, grants unauthorized individuals access to meetings. A malicious actor can exploit these vulnerabilities by impersonating a company, initiating meetings unbeknownst to users, contacting employees or customers, and gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.
To shed light on the extent of the issue, Akiri developed a simple program that scours the web for functional Zoom meeting links from numerous organizations. So far, the program has identified thousands of organizations with these vulnerable, yet operational, “zombie” Zoom links.
To ensure the safer utilization of Zoom links, Akiri provides several tips. Firstly, it is advised not to use the Personal Meeting ID (PMI) or public meetings. The PMI acts as the default meeting launching point for ad hoc meetings and remains unchanged unless manually modified. For public meetings, it is advisable to schedule new meetings with randomly generated IDs, thereby limiting access to invited attendees. Additionally, the option to turn off the PMI when initiating instant meetings is available in one’s profile settings.
Taking meeting security a step further, participants can be required to input a passcode to join a meeting. This feature can be applied to both the Personal Meeting ID and newly scheduled meetings. The Zoom platform also offers the ability to permit only registered or domain-verified users, ensuring that meeting hosts are aware of attendees’ identities. Overall, these measures augment the security and peace of mind of meeting organizers.
It is essential to recognize the significance of these vulnerable Zoom links. Companies must take proactive steps to ensure their employees, customers, and partners are protected from potential phishing and social engineering attacks.