George Zipperlen via plug on 4 Apr 2020 14:44:42 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Zoom bombing

Clarifying the point.  Sorry that I wasn't clear

On Apr 3, 2020, at 3:06 PM, George Zipperlen <> wrote:

Zoom hackers not as 133+ as I thought.

Not script kiddies exploiting Zoom's privacy backdoors.

Just randos finding re-used meeting ids...

The last line had little to do with Zoom specific weaknesses

Meeting organizers are re-using the same ids for sequences of meetings,
and these meeting ids are being sent, and re-sent through insecure channels

I.e. Zoom telephone number style meeting ids posted on public web pages like 
MeetUp, or even Twitter and FeceBook...

Meetup seems to [now?] have a mechanism to turn posted online meeting URLs 
into "This event has passed"

The analogy is apt -- telephone numbers, like e-mail addresses need to be 
kept from pranksters, spammers, scammers, and phishers

So "PLUGCentralApril2020" is better than "PLUGCentral" (kudos!)

and "PLUGCentralApril2020" sent to limited "Plug Mailing List" and word-of-mouth is better 
than announced by Goodyear Blimp and emergency text message to all  (kudos again)

Getting back to Jitsi vs Zoom, this is why Jitsi suggests those "MangoSerenityForLavenderTractors"
"ColorlessGreenIdeasSleepFuriously" large search space, one time mnemonic ids.

Now returning to Zoom's specific weaknesses:

Zoom telephone number style ids are a smaller search space, susceptible to both 
"knowing the number" and "robocall" attacks

Residues linger in browser history,  cookies, etc. Including URLs that contain
hashed (or even unhashed) substrings

So we (anyway) sandbox all browser activity, and all of this browser cruft is more-or-less 
well known

Closed source Apps, are even more opaque than obscure and obscured _javascript_,

So, depending on your trust level, they require more severe sandboxing

Things like Zoom should be freshly downloaded into a temporary sandbox that is deleted 
after each use,  So one session has no local knowledge of other sessions

Hypothesis here: Zoom grabs data and metadata from #all# your meetings...
They have global knowledge of all your sessions that share a fingerprint,
either actual login account, or shared characterics such as IP, OS type, etc;

When this data is stored in some kind of local cache, it is potentially available
to other sessions, not just Zoom.

Hackers thus have multiple paths to this data.

Don't these people understand that a 'back door' is not necessarily a one way turnstile,
and that even a 'secure turnstile' is easier to pass than a brick wall,,,

<Three letter agency sourced elliptic curve parameters...>

I need to find that sweet spot between too brief, and TL/DR


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --