Zoom's Permanent Meeting IDs Pose Security Risks
Zoom's Personal Meeting ID (PMI) is a permanent feature that provides users with a constant meeting room. However, security experts warn that misuse of PMI links with embedded passcodes can lead to unauthorized access and potential data breaches. A recent investigation by KrebsOnSecurity uncovered exposed Zoom meeting links for several major organizations.
Zoom offers the convenience of using your PMI to set up meetings, but this can pose security risks. Charan Akiri, a security engineer at Reddit, discovered that many public Salesforce websites were leaking private data, including open Zoom meeting links. Akiri's simple program identified thousands of organizations with functional 'zombie' Zoom links, allowing anyone to initiate a meeting as a valid employee.
Including an encrypted passcode in the Zoom link can enhance security, but it also presents risks. If not managed responsibly, these links can be indexed by search engines, opening meetings to unwanted intruders. KrebsOnSecurity found working Zoom meeting links for several major organizations, including The National Football League, LinkedIn, Oracle, Humana, Disney, Warner Bros, and Uber. Company-specific Zoom links can work indefinitely, exposing employees, customers, or partners to phishing and other social engineering attacks.
Zoom's Personal Meeting ID, while convenient, can compromise security if not used carefully. Organizations must ensure their Zoom links are secure, especially when including passcodes. Security measures like locking meetings or using the Waiting Room feature can help prevent unauthorized access. As Zoom continues to be a popular communication tool, understanding and managing these risks is crucial.
