Automated tool can find 100 Zoom meeting IDs per hour:
An automated tool developed by security researchers is able to find around 100 Zoom meeting IDs in an hour and information for nearly 2,400 Zoom meetings in a single day of scans, according to a new report from security expert Brian Krebs.
Security professional Trent Lo and members of SecKC, a Kansas City-based security meetup group, made a program called zWarDial that can automatically guess Zoom meeting IDs, which are nine to 11 digits long, and glean information about those meetings, according to the report.
In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting's Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3pic.twitter.com/h0vB1Cp9Tb
— briankrebs (@briankrebs) April 2, 2020
Related Stories
Zoom admits data got routed through China - Business Insider:
In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
He did not say how many users were affected.
During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.
This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.
Separately, researchers at the University of Toronto also found Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.
[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.
Zoom did not immediately respond to Business Insider's request for comment and clarification.
(Score: 2) by fadrian on Saturday April 04 2020, @05:01AM (3 children)
Zoom sucks. Are you folks going to join the Zoombash on the green site, too? You must have shorts.
That is all.
(Score: 2) by MostCynical on Saturday April 04 2020, @05:44AM (2 children)
no, zoom is ubiquitous, easy, and features exceed price point.
Zoom is now being examined - it wasn't on most people's radar a few months ago, but not is being used heavily.
Doesn't mean anyone is shorting the company.
Alas, people are finding that security is, as with many products, not 'baked-in' sufficiently.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by toddestan on Sunday April 05 2020, @05:39AM (1 child)
Is there really any difference between Zoom and competitors like WebEx? WebEx has the same system where you dial in and then type in a 9-digit code to join the meeting. You can also have a password or disallow anonymous "call-in" users to a meeting, but almost no one does that as it just adds additional complication to something that you can consider yourself lucky if it works at all. I don't see anything that would prevent someone from dialing in and then trying to guess codes until they randomly hit a valid one.
I suppose one difference might be is that WebEx might be savvy enough to throttle or block repeated attempts to join invalid meetings to thwart something like this.
(Score: 2) by MostCynical on Sunday April 05 2020, @05:48AM
up until recently, cost [webex.com]
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1) by anubi on Saturday April 04 2020, @06:19AM (1 child)
I remember the days when a relative would invite me over, then bore me to tears with his home movies.
Now, people are going to these lengths to see them???
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by MostCynical on Saturday April 04 2020, @07:01AM
Just hoping for trade secrets, or nudiy.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: -1, Offtopic) by Anonymous Coward on Saturday April 04 2020, @05:04PM
Is that worthy of a SoylentNews article?