![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Zoom bombing
2020-04-06 13:59One downside of the convention was some assholes 'bombing' the performance. I wondered how it was so easy to find us; web scraping or something? Probably not!
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
The unique part of a Zoom ID is just a 9 to 11 digit number, 9 in my experience, so you can just try random URLs until you get a hit. This isn't like cracking a specific password, this is like the birthday paradox, where you keep trying until you hit *something*. And with 200 million daily users now, the odds of a billion numbers are looking pretty good.
So there are fixes like requiring a password, or Waiting Rooms. Why doesn't Zoom just increase the ID size? Someone said that they want URLs that can be easily read out over the phone (this actually happened to me on one job interview.) I don't really see how 16 digits would be much worse than 9 or 11. But I note that if you add in lower case letters (so you don't need to specify case), and even drop a few characters as too similar (1 and l), you can get 1e15 possibilities in 10 characters. That's 1 million times sparser than 9 digits. And the war dialers can't just throw GPUs at the task like password testing, they need to make network connections to zoom.us to try URLs.
Relatedly, the odds of guessing a US Social Security number in use by someone are pretty good. With a few more digits, they would not be. (Your odds of guessing an active credit card number, 16 digits, are probably not good, though the space is limited by internal structure or checksums in ways I don't know.)
Also relatedly, when generating strings of random letters for public exposure, there's the chance of creating funny or offensive strings, like JkmCatp0op. One idea I saw was to not use vowels, though that still leaves the 'vowels' of 0, 4, and 1 (O, A, I). If you limit yourself to lower case consonants plus 7 numbers, that's 28 characters, and 10 of them have 2e14 possibilities. Adding one character puts you back at 8e15, 12 at 2e17.
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
The unique part of a Zoom ID is just a 9 to 11 digit number, 9 in my experience, so you can just try random URLs until you get a hit. This isn't like cracking a specific password, this is like the birthday paradox, where you keep trying until you hit *something*. And with 200 million daily users now, the odds of a billion numbers are looking pretty good.
So there are fixes like requiring a password, or Waiting Rooms. Why doesn't Zoom just increase the ID size? Someone said that they want URLs that can be easily read out over the phone (this actually happened to me on one job interview.) I don't really see how 16 digits would be much worse than 9 or 11. But I note that if you add in lower case letters (so you don't need to specify case), and even drop a few characters as too similar (1 and l), you can get 1e15 possibilities in 10 characters. That's 1 million times sparser than 9 digits. And the war dialers can't just throw GPUs at the task like password testing, they need to make network connections to zoom.us to try URLs.
Relatedly, the odds of guessing a US Social Security number in use by someone are pretty good. With a few more digits, they would not be. (Your odds of guessing an active credit card number, 16 digits, are probably not good, though the space is limited by internal structure or checksums in ways I don't know.)
Also relatedly, when generating strings of random letters for public exposure, there's the chance of creating funny or offensive strings, like JkmCatp0op. One idea I saw was to not use vowels, though that still leaves the 'vowels' of 0, 4, and 1 (O, A, I). If you limit yourself to lower case consonants plus 7 numbers, that's 28 characters, and 10 of them have 2e14 possibilities. Adding one character puts you back at 8e15, 12 at 2e17.