Zoom has claimed to have shifted its focus towards user privacy and security, and the company recently even started restricting uninvited attendees from virtual meetings. However, security researchers are able to highlight its loopholes through an automated tool that can bypass the measures and find 100 Zoom meeting IDs in an hour. The tool called zWarDial is also said to have a success rate of around 14 percent for each instance. In a separate news, Zoom has disabled a feature on its platform that would help meeting hosts see the LinkedIn profiles of individuals, without requiring any explicit permissions.
Security professional Trent Lo and his fellow members of Kansas City-based security meetup group SecKC have built the zWarDial tool that scans for meeting IDs by routing the searches through various proxies on Tor, as reported by cybersecurity expert Brian Kerbs. The tool is said to have the ability to evade the restrictions that the video conferencing app has in place to block automated meeting scans and helps find meetings that aren't protected by a password.
The program uses software-level automation to arrange information about 2,400 Zoom meetings that can include links to join each of those meetings, the date and time of the meeting, and the name of the organiser among other details. Also, it is touted to have a 14 percent chance of finding an open meeting each time it tries to attempt with a random meeting ID.
Guessing of random IDs isn't difficult for hackers as each Zoom meeting ID consists of nine to 11 digits, as noted by Kerbs. This could also allow individuals to join meetings between some professionals or even an online class for school students.
Some instances of disrupting virtual meetings by entering without an invite were noticed in the past. The term for causing disruption has even become famous as “Zoombombing”.
Having said that, the zWarDial tool seems to have no impact on meetings that are protected by a password. This is something that Zoom also recommends and enables by default, as highlighted on one of its support pages.
The company said in a statement to The Verge that passwords for new meetings have been enabled by default since last year.
“We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made,” it added as quoted by the publication.
You can password-protect your Zoom meetings manually by going to the Meetings tab and then clicking the Edit button under your personal meeting ID. You'll then need to check the Require meeting password checkbox and enter your preferential password.
In addition to the issues with meeting IDs, Zoom is found to have the LinkedIn-specific feature in place that was allowing meeting hosts to view your professional details such as location, employers, job titles, and work experience among others. The feature was working as an integration with the LinkedIn Sales Navigator service that is meant for helping sales professionals mine data of their prospects online.
Zoom was automatically sending the name and email addresses of individuals to a company system when they signed in to a meeting to match the details with their LinkedIn profiles, The New York Times found in an investigation. It was also noticed that the feature was overriding privacy settings of users and even providing LinkedIn data when the Zoom profiles were anonymised using pseudonyms for signing in to a meeting.
In a statement to the publication, Zoom said that it was “removing the LinkedIn Sales Navigator to disable the feature” that was available for users who subscribed to the paid service. LinkedIn also separately confirmed the suspension of the feature.
The coronavirus outbreak has led to the massive growth in Zoom meetings. The app surpassed the mark of over 200 million daily users in March. Nonetheless, the ongoing issues are impacting its success. The company even announced a feature freeze for 90 days to address security concerns. It also did fixes to flaws such as silently sharing data with Facebook and apologised for its misleading end-to-end encryption claim.