ZOOM LEAKS — A Platform for finding leaked Meetings

Rakesh Krishnan
4 min readApr 2, 2020

--

Update:- As the site had been taken down, it is found that many of the active forums such as Nulled or Raid are regularly getting updated regarding ZoomBombing with links to the leaked meetings. Some of them are:-

https://throwbin.io/N0jxTNb
https://pastr.io/view/zroRcVOXo3d
https://throwbin.io/S5lPPos

Seems like the interest of hackers had shifted from COVID themed Malwares and Phishing Campaigns to Video Conferencing sites like Zoom, which is on a rife.

Image Courtesy: TheHackerNews.com

In the recent change in the working atmosphere, many organizations had already adopted to carry out their business by meeting virtually. Hence, most of them sticks with Zoom as the quality is unparalleled when compared with other meeting platforms. This results in the wide adoption of the same.

Zoom had been hammered on various discussion forums such as Reddit for its privacy loosened implementations, got roasted recently for not having an End-to-End Encryption, instead only supports normal transport layer encryption such as:-

TCP Connections with TLS Support
UDP Connections with AES (using a Key negotiated over TLS)

The problem of the Transport Encryption over End-to-End Encryption are:- Zoom can access your private meetings (Audio & Video) and can handover the data once the FBI requests it as the same is not protected from the company.

A novel approach of hackers/leakers which shaped here:- What if people want to leak Zoom Conferences?

Yes, a perfect place to dump all the Conference Meeting IDs which helps to intercept the Corporate Network Secrets. For this, somebody might have thought about to start a new site exclusively for this?

Yes, here it is:-

Zoomleaks.com is the place where people come and dump the Meeting IDs which may include School Lectures, Office Meetings etc.

It seems that there is no much active participation (ATTOW), as we can see only fewer posts.

Future Code Section from the Forum where Meeting IDs are leaked

This might be due to to the:- as the site is relatively new and got registered on the date (1st April, 2020).

Following are the Website details:-

Domain: zoomleaks.com
Registered by: NameCheap
Registered Date: 2020–04–01
IP: 35.245.209.172
Server Type: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
Hosting Provider: Google LLC

By checking the SSL Records, following details are found:-

Issuing CA: Let’s Encrypt Authority X3
Valid: April 01, 2020 to June 30, 2020
Key Size: 2048 bits

REACHING WIDER AUDIENCES

As any of the new services supports their services on messaging platforms such as Telegram and Discord for a larger viewership, this site also no different from marking their presence in the platform DISCORD.

Disclosing Sensitive Meeting info on Discord Server

The active participation on Discord Server is more effective as compared to website interaction as anyone who goes to the site and register themselves is a tedious task.

It is also found that the Discord Server has a channel named “Memorabilia” where NSFW contents are leaked.

It is evident that the channel is much more active with the active participation on another channel named “Codes for the Apes” on the same server.

Update:- The website had been taken down and the domain name is up for sale on NameCheap.

KEY-INTAKES

>Regularly check for any of your meeting invites had been dumped/leaked.
>Setting password to your meeting is worthless, in the case of internal breach.
>The underlying encryption architecture is weak with the absence of End-to-End Encryption.

Till now, No Corporate Network meetings are being spotted, but the same may be subjected on coming days as its slowly gaining traction and a regular checklist for hackers, publishing corporate network after infiltration.

Note:- The article is purely an Individual research and is not subjected to be used/published anywhere without the consent.

Follow me on Twitter for latest Industrial/Technical trends on Cyberspace, Esp. Dark Web :-)

--

--

Rakesh Krishnan
Rakesh Krishnan

Written by Rakesh Krishnan

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.

Responses (3)