CarderPlanet
Professional
How do I create a secure video conference and end it correctly?
Zoom, a popular online meeting platform, has caught the attention of cybersecurity researchers because of a new threat. The problem is related to the Zoom Personal Meeting ID — PMI), a permanent number linked to each Zoom account.
PMI is used when creating personal video conferences. It looks, for example, like this:
zoom.us/j/5551112222
The user can embed the encrypted password directly in the invitation link. This makes it easier to connect to the room — you don't need to enter the code manually. Example:
zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll
By default, this is convenient, but, as often happens, convenience easily turns into vulnerability. If someone recognizes your PMI, they can join any personal conference, unless, of course, you have enabled additional security settings (you have not blocked the meeting or activated the "Waiting Rooms" function).
Even an old (but still accessible) link indexed by search engines such as Google can serve as an invitation for unwanted guests. As it turned out, thousands of organizations have already faced this problem.
With the help of such loopholes, attackers create new meetings, posing as ordinary employees. The situation is aggravated by the fact that some companies use subdomains on Zoom.us — this makes searching for unsecured addresses even more convenient.
The KrebsOnSecurity team found out that organizations such as the National Football League (NFL), LinkedIn, Oracle, Humana, Disney, Warner Bros and Uber have open conferences in Zoom. Moreover, the search took the researchers only a few minutes. Website Archive.org confirms: Some of these zombie links were created back in 2020 and 2021.
Charan Akiri, an independent specialist and security engineer, once again stressed the dangers of such a system: "Links that do not have an expiration date and do not require a password can be used by attackers to fake their identity. Having penetrated the system, attackers will impersonate company representatives and organize "meetings" that users will not even know about. They can interact with other employees or customers on behalf of the organization. The vulnerability will allow them to gain unauthorized access to confidential information and lead to financial losses, illegal recruitment or fraudulent advertising campaigns."
Akiri also explained how to protect yourself:
1. Don't use PMI for public meetings. This is a standard identifier that doesn't change unless the user decides to modify it themselves. It is convenient for quick phone calls with colleagues or friends. Unique codes generated by the system are more suitable for public negotiations.
2. Require a password to log in. This works both for face-to-face meetings with a permanent ID (PMI), and for conferences with a unique code.
3. Limit your participation in the conference. Zoom allows you to configure login settings. The organizer can ask participants to log in by leaving their email address and name, or restrict entry to certain domains.
Zoom, a popular online meeting platform, has caught the attention of cybersecurity researchers because of a new threat. The problem is related to the Zoom Personal Meeting ID — PMI), a permanent number linked to each Zoom account.
PMI is used when creating personal video conferences. It looks, for example, like this:
zoom.us/j/5551112222
The user can embed the encrypted password directly in the invitation link. This makes it easier to connect to the room — you don't need to enter the code manually. Example:
zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll
By default, this is convenient, but, as often happens, convenience easily turns into vulnerability. If someone recognizes your PMI, they can join any personal conference, unless, of course, you have enabled additional security settings (you have not blocked the meeting or activated the "Waiting Rooms" function).
Even an old (but still accessible) link indexed by search engines such as Google can serve as an invitation for unwanted guests. As it turned out, thousands of organizations have already faced this problem.
With the help of such loopholes, attackers create new meetings, posing as ordinary employees. The situation is aggravated by the fact that some companies use subdomains on Zoom.us — this makes searching for unsecured addresses even more convenient.
The KrebsOnSecurity team found out that organizations such as the National Football League (NFL), LinkedIn, Oracle, Humana, Disney, Warner Bros and Uber have open conferences in Zoom. Moreover, the search took the researchers only a few minutes. Website Archive.org confirms: Some of these zombie links were created back in 2020 and 2021.
Charan Akiri, an independent specialist and security engineer, once again stressed the dangers of such a system: "Links that do not have an expiration date and do not require a password can be used by attackers to fake their identity. Having penetrated the system, attackers will impersonate company representatives and organize "meetings" that users will not even know about. They can interact with other employees or customers on behalf of the organization. The vulnerability will allow them to gain unauthorized access to confidential information and lead to financial losses, illegal recruitment or fraudulent advertising campaigns."
Akiri also explained how to protect yourself:
1. Don't use PMI for public meetings. This is a standard identifier that doesn't change unless the user decides to modify it themselves. It is convenient for quick phone calls with colleagues or friends. Unique codes generated by the system are more suitable for public negotiations.
2. Require a password to log in. This works both for face-to-face meetings with a permanent ID (PMI), and for conferences with a unique code.
3. Limit your participation in the conference. Zoom allows you to configure login settings. The organizer can ask participants to log in by leaving their email address and name, or restrict entry to certain domains.
