Zoom Flaw That Could Have Let Anyone Join Private Video Conferences Proves How Important Passwords Are

If you are stuck at home due to the Coronavirus quarantine, because you are sick, or because you are working from a remote location, you might have already used Zoom, a video conferencing platform that allows connecting to others from wherever you might be in the world. The platform has seen a rebirth in 2020 due to the COVID-19 pandemic, and while the company saw a growth of 1.9 million active monthly users throughout 2019, it has already attracted 2.2 million new users in the first quarter of 2020. Zoom cloud meetings are used in classrooms, by businesses, and people who want to connect with their loved ones. Whatever your reason for using Zoom is, you need to understand that just like any other virtual service, it is flawed, and it is up to you ensure that your accounts and your calls are secure. We have a few tips that, hopefully, will make you circumvent Zoom security flaws.

Zoom security flaw allowed intercepting private video conferences

According to ZDNet, Zoom is very popular among Fortune 500 companies and the top 200 universities in the United States. The statistics show that 60% of those companies and 96% of those universities use Zoom. Unfortunately, these are the kinds of numbers that cybercriminals are attracted to. In the beginning of the year, researchers at CheckPoint discovered a Zoom security flaw that could have permitted undesirable parties to join private conferences/calls silently. The issue lied within the Require meeting password option that, if not enabled, left virtual meetings vulnerable. Every single Zoom meeting has a unique ID code that is composed of 9, 10 or 11 unique digits. Although a 9-digit combination creates 1 billion unique numbers, that is not a huge challenge for equipped cybercriminals. As you might know already, they have tools that can guess passwords for them, and it does not take that long to check one billion combinations. A 9-digit combination can be guessed within just 25 milliseconds. Needless to say, if the Require meeting password option is enabled, it should be exponentially harder for cybercriminals to intercept a private meeting/conference call on Zoom. In the end, CheckPoint researchers were able to guess about 4% of IDs, which is not a small number whatsoever.

The good news is that this Zoom security flaw was patched, and now Zoom meetings should be safer. That being said, you should always add passwords for all meetings, and these passwords should be long and random in every case to make sure that cybercriminals cannot guess/brute-force them. If you need help generating unique passwords for every Zoom meeting you host, we suggest employing the Password Generator offered by Cyclonis Password Manager. The tool can also help you manage your Zoom account password. Just like the Zoom meeting IDs, vulnerable passwords can be attractive to cybercriminals also. If they manage to hijack your account, they could potentially join meetings, where sensitive information is disclosed, or even share malicious files to the connected parties via Chat, and we are sure that you want to avoid being the weak link in your company. Here are the steps that will help you upgrade your Zoom login password.

How to upgrade Zoom login password

  1. Open https://zoom.us/signin.
  2. Sign in with your current password.
  3. Click User Management and then Users.
  4. Click the email address, whose account you want to edit.
  5. On the right of Sing-in Password, click Edit.
  6. Enter your new password. You can follow the recommendations listed in this section, but we recommend aiming for a stronger password because 6-character passwords are weak right from the start.
  7. Click OK to save the password.

N.B. If you are a Zoom administrator and are responsible for other accounts, make sure you set up strong passwords for them also. Do not rely on users to change them to stronger passwords on their own.

Needless to say, adding passwords to Zoom meetings or creating strong account passwords isn’t something that can help solve all security issues linked to the virtual meeting platform. History confirms that. In 2019, Forbes informed that Mac users had to change Zoom setting to turn off my video when joining a meeting because of a Zoom security flaw that, allegedly, left systems exposed to malicious attacks. Using this vulnerability, cybercriminals potentially had the option to hijack web cameras, force users to join ghost calls, perform DoS (Denial of Service) attacks, and also restore the uninstalled applications. Obviously, this Zoom security flaw has been fixed since then. The bottom line is that there is a lot that is out of the control of Zoom users, and the developers of the platform have to take responsibility and fix flaws before they become exploitable vulnerabilities.

Public Zoom meetings are particularly vulnerable

If you open up a Zoom meeting to the public – i.e., make it possible for anyone to join it – you have to think about a few potential security issues. Zoombombing is a funny term, but it describes an action that is anything but fun. Casey Newton, a tech reporter for The Verge, recently hosted a virtual conference using Zoom during his daily WFH Happy Hour show. The Zoom conference call ID was made public, and anyone could join it. Unfortunately, someone had malicious intentions, and soon everyone on the conference call started seeing violent pornographic videos. Once a conference is public, the assailant can join again and again after being kicked out. Casey was forced to stop the call and, at the same time, his show. The good news is that Zoom allows managing screen-sharing, and if you are the Host, you can always set the settings to ensure that only you can share screens and content. Participants can also be muted. More tips on how to stop Zoom bombers can be found here.

In conclusion, if you are relying on Zoom during the quarantine or beyond it, you have to take appropriate security measures. Add passwords to Zoom meetings that are private, do not share your private Zoom ID, do not share private meeting IDs and links via public platforms (e.g., on social networking accounts), and make sure you create passwords for Zoom accounts that could not be guessed and breached by cybercriminals. Also, use the two-factor authentication feature. Finally, if you learn about Zoom security flaws, do not ignore them because even if you yourself might not be able to fix them, you can work around them to ensure your own virtual security and the security of others.

March 31, 2020

Leave a Reply