Skip to content
Building REST API Microservices

Zoom Bombing

Zoom Bombing refers to unauthorized individuals gaining access to Zoom meetings and disrupting them, often with malicious intent. This phenomenon became particularly notable during the early stages of the COVID-19 pandemic when many meetings moved online. One of the key factors that enabled Zoom bombing was the use of enumerable or guessable meeting IDs, a classic example of the security risk posed by predictable resource identifiers in REST APIs.

How enumerable Resource IDs Enabled Zoom Bombing

  1. Guessable Meeting IDs: Early versions of Zoom assigned meeting IDs that were relatively short, numeric, and sequential or quasi-random, like 123-456-789. This made them susceptible to guessing and enumeration attacks, where attackers could try various combinations of numbers to find valid meeting IDs.

  2. Lack of Access Controls: Often, these meeting IDs were not secured with strong authentication measures such as passwords, waiting rooms, or host approvals. As a result, anyone who could guess a meeting ID could join the session, leading to unauthorized access.

  3. Exploitation of Public APIs: Attackers could leverage automated scripts or bots to systematically attempt different meeting ID combinations, exploiting the lack of rate limiting and proper authorization checks in Zoom’s API. This enumeration allowed them to discover active meetings that were not adequately secured.

  4. Consequences: Once inside, attackers could disrupt meetings, share offensive content, or eavesdrop on private discussions, leading to significant security, privacy, and reputational issues.

Key Lessons and Best Practices

  • Use Non-enumerable IDs: Meeting IDs should be long, random, and non-sequential, such as UUIDs, making them difficult to guess.

  • Implement Strong Access Controls: Always secure meetings with passwords, waiting rooms, and other authentication mechanisms to prevent unauthorized access, even if the meeting ID is discovered.

  • Rate Limiting and Monitoring: APIs should implement rate limiting and monitor access patterns to detect and block enumeration attempts.

The Zoom bombing incident serves as a critical reminder of the dangers associated with enumerable or guessable resource IDs in REST APIs. Properly securing identifiers and implementing robust access controls are essential steps in preventing unauthorized access and ensuring the integrity of API-driven applications.