Zombie Zoom Meeting Links Expose Thousands of Organizations

"Zombie links" enable unauthorized individuals to join ongoing meetings or impersonate employees, potentially resulting in data breaches.

An uncovered security loophole exposes thousands of organizations, including Fortune 500 companies, by revealing company-specific Zoom links. As reported by Krebsonsecurity, these links offer the potential for malicious attacks such as , and social engineering attacks as they can work indefinitely.

The Danger of Zombie Zoom Links

At the heart of this issue is the Zoom Personal Meeting ID (PMI). This permanent identification number linked to a user's Zoom account serves as a personal meeting room open around the clock. The PMI forms part of each new meeting URL created by the account. Zoom's convenient feature of including an encrypted passcode within the meeting link actually potentially opens up meetings to unauthorized individuals. These links can be found by or other search engines and have lately been the case for thousands of organizations.

Potential Harm of Unwanted Intruders

These discovered “zombie links” enable unauthorized individuals to join ongoing meetings or impersonate employees, potentially resulting in data breaches. Several large corporations, including Citigroup, Disney, Humana, JPMorgan Chase, LinkedIn, Nike, Oracle, and Uber, had their Zoom links inadvertently cataloged by online archiving service, the Wayback Machine. Charan Akiri, a researcher and security engineer at Reddit, pointed out this serious security flaw. Using automated programs, Akiri was able to identify thousands of active Zoom links from different organizations that were potentially vulnerable to unauthorized access.

Precautions to Ensure Meeting Security

Akiri has outlined several tips for safer usage of Zoom links. These include avoiding the use of PMIs for public meetings, requiring passcodes for meeting access, and only allowing registered or domain-verified users. Turning off PMI for ad hoc meetings and not scheduling public meetings with the same PMI can also protect against the misuse of Zoom links. Organizations can take this a step further by mandating registration for attendees, complete with email verification and customized questions.