An automated tool developed by security researchers is able to find around 100 Zoom meeting IDs in an hour and information for nearly 2,400 Zoom meetings in a single day of scans, according to a new report from security expert Brian Krebs.
Security professional Trent Lo and members of SecKC, a Kansas City-based security meetup group, made a program called zWarDial that can automatically guess Zoom meeting IDs, which are nine to 11 digits long, and glean information about those meetings, according to the report.
In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting’s Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3 pic.twitter.com/h0vB1Cp9Tb— briankrebs (@briankrebs) April 2, 2020
In January, security researchers at Check Point Research said Zoom had implemented a feature that would block repeated attempts to scan for meeting IDs following their own disclosure of a way to identify valid Zoom meeting IDs. zWarDial avoids Zoom’s blocking by routing searches through Tor, Lo said to Krebs on Security.
However, zWarDial can’t find meetings that are password-protected, according to Lo. By default, Zoom says it password-protects new meetings, instant meetings, and meetings accessed by manually entering a meeting ID, so the fact that zWarDial is able to find around as many meeting IDs as it can suggests that many Zoom meetings still don’t have a password.
“Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join,” Zoom said in a statement to The Verge. “Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out. We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.”
If you want to password-protect your meetings yourself, you can do that in the Zoom app by going to the “Meetings” tab, clicking the “Edit” button under your personal meeting ID, checking the “Require meeting password” checkbox, and then entering a password to use for your meetings. The steps are similar on the mobile app.
Zoom usage has shot up dramatically as more people have come to rely on the video conferencing app during the COVID-19 pandemic, but that increased usage has cast a spotlight on a litany of security and privacy issues with the service.
For example, trolls have been able to “Zoombomb” calls, an issue with Zoom’s “Company Directory” setting could leak user emails and photos, and Zoom confirmed to The Intercept that video calls on the app aren’t end-to-end encrypted like the company claims. To help address these issues, Zoom has announced a 90-day freeze on releasing new features and will focus on fixing privacy and security issues.
Update, April 2nd, 8:16PM ET: Added statement from Zoom.