Skip to main content

Security incident of Zoom video conferences’ video files found from a search engine

On April 3, 2020, Washington Post reported of a security incident of saved videos of Zoom video conferencing tool found in a search engine.

The videos were stored in a separate online storage that was accessed by a search engine which then listed all of the videos in there into its records of web pages. Apparently the storages were publicly available Amazon Web Services’s file buckets.

The person who contacted Washington Post about the matter found this by applying a naming pattern of the saved videos into the search engine and found over 15 000 results of saved videos. Zoom uses identical naming pattern for all of its saved videos which is the crucial security incident here.

Cyber kill chain #

This is a scenario that could have happened or can happen if one of the video files for example contained user bank account details:

MITTRE ATT&CK specifications of the incident #

Tactics are the technical goals the adversary is having. In this case the adversary might have had exact goal to find out specific videos of specific users as they have noticed that the videos are all available with correct links.

Techniques the are ways how the technical goals (tactics) are being achieved. Search engines with search keywords of the naming pattern of the video files of Zoom were used to find out other videos as they had been accessed by search engines and indexed.

Procedures are specific implementations of techniques for example these by creating a bot that does search engine queries of the Zoom video naming pattern and saves information about the results for the adversary.

It’s human nature to want to find flaws and exploit them #

In security the first and foremost rule is that there will be people who want to exploit and try to break in to your system. When system developers accept that someone is going to take advantage of every little security hole in the system they are developing then they start to take things seriously.

Humans are explorers by nature. We want to know how something works and how it is built. We are also lazy and if we find a vulnerability of something then we tend to use that in our advantage.

This should be good reminder for anyone working in the security industry: we are not fighting against bots, we are fighting against people who make the bots.

This was the first assignment of ICT Security Basics.