According to a new report from security expert Brian Krebs, an automated tool developed by security researchers can find around 100 Zoom meeting IDs in one hour and information for nearly 2,400 Zoom meetings in a single day of scans.
Security professional Trent Lo and members of SecKC, a Kansas City-based security meeting group, created a program called zWarDial that can automatically guess Zoom meeting identifications, which are between nine and 11 digits, and collect information on those meetings, according to the report.
In addition to being able to find around 100 meetings per hour, a zWarDial instance can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs in Security. And as part of the nearly 2,400 upcoming or regular Zoom zWarDial meetings found in a single scan day, the program extracted the Zoom link for a meeting, the date and time, the meeting organizer, and the topic of the meeting, according to data that He shared with Krebs on Security.
In January, security researchers at Check Point Research said Zoom had implemented a feature that would block repeated attempts to scan for meeting IDs after their own disclosure of a way to identify valid Zoom meeting IDs. zWarDial bypasses Zoom blocking by routing searches through Tor, Lo told Krebs in Security.
However, zWarDial cannot find meetings that are password-protected, according to Lo. By default, Zoom says it password-protects new meetings, instant meetings, and meetings that are accessed by manually entering a meeting ID, so the fact that zWarDial can find as many meeting IDs as possible suggests that many meetings Zoom still don’t ‘I don’t have a password.
“Zoom strongly encourages users to implement passwords for all their meetings to ensure that uninvited users cannot join,” Zoom said in a statement to The Verge. “Passwords for new meetings have been enabled by default since the end of last year unless account owners or administrators have been excluded. We are investigating unique boundary cases to determine whether, under certain circumstances, users not affiliated with an account owner or administrator may not have enabled passwords by default at the time the change was made. “
If you want to password protect your meetings yourself, you can do so in the Zoom app by going to the “Meetings” tab, clicking the “Edit” button under your personal meeting ID, checking the “Request meeting password” checkbox “and then enter a password to use in your meetings. The steps are similar in the mobile app.
Zoom use has skyrocketed as more people have come to trust the video conferencing application during the COVID-19 pandemic, but that increased use has highlighted a litany of security and privacy issues with the service.
For example, trolls have been able to make “Zoombomb” calls, an issue with Zoom’s “Company Directory” setting could filter user emails and photos, and Zoom confirmed to The Intercept that video calls in the app did not they are encrypted end to end as the company says. To help address these issues, Zoom has announced a 90-day freeze on the release of new features and will focus on fixing privacy and security issues.