There’s a certain kind of panic that at some point gets us all.
You just got to work but did you leave the oven on at home? The gut-punch “call me ASAP” message from your boss but now they’re not answering their phone. Or that moment you unexpectedly see your camera light flash on your computer and you’re suddenly in a video call with a ton of people you don’t know.
Yes, that last one was me. In my defense it was only slightly my fault.
I got a tip about a new security startup, with fresh funding and an idea that caught my interest. I didn’t have much to go on, so I did what any curious reporter would do and started digging around. The startup’s website was splashy but largely word salad. I couldn’t find basic answers to my simple questions. But the company’s idea still seemed smart. I just wanted to know how the company actually worked.
So I poked the website a little harder.
Reporters use a ton of tools to collect information, monitor changes in websites, check if someone opened their email for comment, and navigate vast pools of public data. These tools aren’t special, reserved only for card-carrying members of the press, but rather are open to anyone who wants to find and report information. One tool I use frequently on the security beat lists all the subdomains on a company’s website. These subdomains are public but deliberately hidden from view, yet you can often find things that you wouldn’t from the website itself.
Bingo! I immediately found the company’s pitch deck. Another subdomain had a ton of documentation on how its product works. A bunch of subdomains didn’t load, and a couple were blocked off for employees only. (It’s also a line in the legal sand. If it’s not public and you’re not allowed in, you’re not allowed to knock down the door.)
I clicked on another subdomain. A page flashed open, an icon in my Mac dock briefly bounced, and the camera light flashed on. Before I could register what was happening, I had joined what appeared to be the company’s morning meeting.
The only saving grace was my webcam cover, a proprietary home-made double layer of masking tape that blocked what looked like half a dozen people from staring back at me and my unkempt, pandemic-driven appearance.
I didn’t stick around to explain myself, but quickly emailed the company to warn of the security lapse. The company had hardcoded their Zoom meeting rooms to a number of subdomains on their company’s website. Anyone who knew the easy-to-guess subdomain — trust me, you could guess it — would immediately launch into one of the company’s standing Zoom meetings. No password required.
By the end of the day, the company had pulled the subdomains offline.
Zoom has seen its share of security issues and forced to change default settings to prevent abuse, largely driven by greater scrutiny of the platform as its usage rocketed since the start of the coronavirus pandemic.
But this wasn’t on Zoom, not this time. This was a company that connected an entirely unprotected Zoom meeting room to a conveniently memorable web address, likely for convenience, but one that could have left lurkers and eavesdroppers in the company’s meetings.
It’s not much to ask to password-protect your Zoom meetings, because next time it probably won’t be me.