But we do not want to give anyone any ideas… However, for the latter, it is the other way around: one’s goal is to attract attention in the meeting.Įven trolling can serve a purpose (can be done for the “profit” part in “fun and profit”): since zoombombed sessions are usually terminated by the host due to the offending nature of the intruder, just think about disrupting a virtual class or an online exam this way. In the first case, the perpetrator needs to stay unnoticed. One can use Zoombombing for many malicious purposes, from eavesdropping on confidential information (spying on the participants, or even downloading documents shared in the meeting) to a form of hacktivism, pushing a political agenda – or just trolling. Now we have the 2020 version of this: Zoombombing. Often done just for fun or as a practical joke. To put it another way, when somebody appears in a photo intentionally, typically in the background, and thus hijacking the focus of the photo. We all know what photobombing is: when somebody purposefully puts themselves into the photograph.
Note that the even though the term has been named after Zoom, it has been used to describe attacks against any online video conferencing service. Zoombombing describes a situation when an “intruder” pops up uninvited in an online video conference. This trick has become so common that has got a specific name. When the organizer does not put any other restrictions on participant admission, knowledge of the meeting ID is the only protection against anyone being able to join an ongoing conference. Specifically, in case of video conferencing systems, a meeting ID is obviously sensitive information. The latter may help the attacker in crafting an attack. The leaked data can either be sensitive user data handled by the application (for instance, patient data in case of a healthcare system, or a salary of an employee), or “just” sensitive with respect to the system’s operation (such as an internal ID, an IP address or a password).
Unintentional information leakage is usually a consequence of a design or implementation mistake. In the first case, the system designers or developers may have been simply unaware of the sensitive nature of the piece of data. And leaking such information will always have disastrous consequences.Įxposing sensitive data can be intentional or unintentional.
In reality, sometimes a vulnerability like this is just a small mistake in a common module doing nothing special – but that module is still handling sensitive information. We tend to think that vulnerabilities are complex things. But that is also the reason why it is easier for these kinds of bugs to slip through. From a secure coding perspective, these issues are much more simple than injection or cryptography. In this last article in our series dealing with Zoom vulnerabilities, we will take a look at information leakage. Information leakage is the most trivial mistake to make, but also to exploit.
0 kommentar(er)
