With the rapid increase in the use of video conferencing associated with social distancing to cope with COVID-19, the video conferencing application Zoom has seen rapid growth in the last month.
Although there are consumer versions of Zoom available, the main market was originally corporate clients, where Zoom would be further configured by the corporate IT staff. The mass adoption of Zoom for consumers has resulted in the discovery of some important security flaws in the product, particularly if not further configured, as most consumers will not be.
The most serious of these flaws could result in the disclosure of the Computer User credentials to a remote computer through the Zoom client chat by posting a specifically formatted link. The credentials will include the username and the user HASH, which could be used to obtain the user’s password. In the case of a company computer on a Windows Domain, this would be the employee’s corporate account information—a significant issue.
Fortunately, Zoom was very quick in addressing the vulnerability, and it no longer exists.
How to Prevent Zoombombing
At first, Zoom allowed uninvited guests to join any Zoom session. This has been termed in the media as Zoombombing. It is tied to the public nature of the default conference settings in Zoom. Each Zoom meeting has a Meeting ID, and unfortunately, the Meeting ID is only a 10 digit number. The 10 digit ID is the only information required to access a meeting, even if someone is not directly invited to the meeting.
So, if the meeting ID is widely shared, almost anyone can join the meeting. Additionally, each Zoom account has a Personal Meeting, with a Personal Meeting ID. It is also a 10 digit ID and does not change. Therefore, if you share your PMI, that person will be able to join any additional meeting.
Zoom has made several recommendations to combat this:
- Set Passwords on each meeting.
- Do not use your Personal Meeting ID.
- Do not post Meeting IDs in public areas.
While writing this blog post, I set up a few meetings in Zoom, and new meetings now have a password by default. This shows that Zoom is addressing the issue. However, we would still recommend that all users review their Zoom settings to verify that this is their default and review old meetings to ensure that passwords are set on them.
Have any questions about Zoom security and keeping video conferencing in general secure? Please reach out to us at any time.
