Don’t Let Zombie Zoom Links Drag You Down
Many organizations, including Fortune 500 firms, have exposed Zoom links that allow anyone to initiate a video conference meeting as an employee. These links contain a permanent user ID number and passcode, making them vulnerable to phishing and social engineering attacks. The issue lies in the Zoom Personal Meeting ID (PMI), which remains the same for all meetings and can be used by unauthorized individuals to join ongoing meetings. These links have been found for various organizations, including the NFL, LinkedIn, Oracle, Humana, Disney, Warner Bros, and Uber. Researcher Charan Akiri discovered this vulnerability and built a program to identify thousands of organizations with these links. To use Zoom links more safely, it is advised not to use a Personal Meeting ID for public meetings, require a passcode to join, and only allow registered or domain-verified users.