Jump to content

How I accidentally gatecrashed a startup’s morning meeting


NelsonG

Recommended Posts

There’s a certain kind of panic that at some point gets us all.

You just got to work but did you leave the oven on at home? The gut-punch “call me ASAP” message from your boss but now they’re not answering their phone. Or that moment you unexpectedly see your camera light flash on your computer and you’re suddenly in a video call with a ton of people you don’t know.

Yes, that last one was me. In my defense it was only slightly my fault.

I got a tip about a new security startup, with fresh funding and an idea that caught my interest. I didn’t have much to go on, so I did what any curious reporter did and started digging around. The startup’s website was splashy, but largely word salad. I couldn’t find basic answers to my simple questions. But the company’s idea still seemed smart. I just wanted to know how the company actually worked.

So I poked the website a little harder.

Reporters use a ton of tools to collect information, monitor changes in websites, check if someone opened their email for comment, and to navigate vast pools of public data. These tools aren’t special, reserved only for card-carrying members of the press, but rather open to anyone who wants to find and report information. One tool I use frequently on the security beat lists all the subdomains on a company’s website. These subdomains are public but deliberately hidden from view, yet you can often find things that you wouldn’t from the website itself.

Bingo! I immediately found the company’s pitch deck. Another subdomain had a ton of documentation on how its product works. A bunch of subdomains didn’t load, and a couple were blocked off for employees only. (It’s also a line in the legal sand. If it’s not public and you’re not allowed in, you’re not allowed to knock down the door.)

I clicked on another subdomain. A page flashed open, an icon in my Mac dock briefly bounced, and the camera light flashed on. Before I could register what was happening, I had joined what appeared to be the company’s morning meeting.

The only saving grace was my webcam cover, a proprietary home-made double layer of masking tape that blocked what looked like half a dozen people from staring back at me and my unkempt, pandemic-driven appearance.

I didn’t stick around to explain myself, but quickly emailed the company to warn of the security lapse. The company had hardcoded their Zoom meeting rooms to a number of subdomains on their company’s website. Anyone who knew the easy-to-guess subdomain — trust me, you could guess it — would immediately launch into one of the company’s standing Zoom meetings. No password required.

By the end of the day, the company had pulled the subdomains offline.

Zoom has seen its share of security issues and forced to change default settings to prevent abuse, largely driven by greater scrutiny of the platform as its usage rocketed since the start of the coronavirus pandemic.

But this wasn’t on Zoom, not this time. This was a company that connected an entirely unprotected Zoom meeting room to a conveniently memorable web address, likely for convenience, but one that could have left lurkers and eavesdroppers in the company’s meetings.

It’s not much to ask to password-protect your Zoom meetings, because next time it probably won’t be me.

Techcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=8kb9l69dhas:V0j6NqWZoA8:-BT Techcrunch?i=8kb9l69dhas:V0j6NqWZoA8:D7D Techcrunch?d=qj6IDK7rITs
8kb9l69dhas

View the full article

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
×
×
  • Create New...