An Open Source Intelligence perspective on the online sharing behavior of humans as effect of COVID19 pandemic to enable better Security Awareness.
As an OSINT researcher i always advocate Operation Security (OPSEC) and general “Cyber” Security Awareness.
Since outbreak of the COVID19 Pandemic and people having to work from home i started noticing a huge spike in people making video calls.
Nothing new to video meetings, conference calls or webinars. They have been around for years but mostly WITHIN the company doors.
With Covid19 i see that people are not so aware of others (pranksters, trolls, malicious actors etc.) tracking their social media post or scheduled meetings on their websites.
Almost every 20 seconds i see a invite link being tweeted on Twitter. Some are meant to be shared openly but almost half of them are NOT meant to be seen by the general public. Or at least the invite links to that video meeting should not be accessible by just anyone from anywhere around the globe.
It is not only the open invite links it is also the password protected links that get shared or they will add the password in plain text complementary to the invite link.
The type of meetings can be really sensitive, how about Crystal Meth and Alcohol Anonymous meetings? Should they be openly accessible? I like to think that should not be possible.
But also schools share they classroom video meeting links in a similar way with or without password visible in plain text. The recent news already shows people “zoombombing” and posting nazi, antisemitic and pornographic content during lessons and school meetings.
Below i will share some basic OSINT searches i’ve made that can be used to find the things i’ve pointed out above. Including the sensitive ones.
Why? Why would i do this? Why would i share this information knowing that bad actors might read this also and exploit this?
Because i want YOU to share this blog with your company, school, friends and family so that they will be aware of these risks. Hopefully your CISO, director, teacher, hobby club (or just You) will read this and will make some mandatory changes about sharing links for meetings openly.
Only you and them can prevent these links to be shared openly in the future.
This has nothing to do with the video platforms their security or encryption, that is a whole other discussion. This is about the weakest link in the cyberspace, the human.
First of i want to explain what is needed to find the openly shared video meeting or conference call invite links.
I basically already said it we need to look for the invite links. to do that we need to know the invite url structure. For this example i have examined the following video meeting platforms:
- Microsoft Teams
- Google Meet
I have chosen these eight platforms since they are the most popular video meeting platforms that are currently being shared online during the Corona (Covid19) pandemic online by users. And again, i can’t stress this enough, this has nothing to do with the discussed platforms their safety or encryption. This is real people sharing information (invite links) openly that shouldn’t or shouldn’t always be shared openly to the general public.
- For Microsoft Teams you will need this part of the url to find openly shared invite link to meetings : “teams.microsoft.com/l/meetup-join”
- For Jitsi you will need this part of the url to find openly shared invite link to meetings : “meet.jit.si”
- For Zoom you will need this part of the url to find openly shared invite link to meetings : “zoom.us.j/”
- For Google Meet you will need this part of the url to find openly shared invite link to meetings : “meet.google.com/”
- For Skype you will need this part of the url to find openly shared invite link to meetings : “join.skype.com/”
- For Bluejeans you will need this part of the url to find openly shared invite link to meetings : “bluejeans.com/”
- For WebEx you will need this part of the url to find openly shared invite link to meetings : “bcwt.webex.com”
- For GoToMeeting you will need this part of the url to find openly shared invite link to meetings : “Gotomeet.me/”
With this knowledge we can start crafting searches on Twitter and Google to look for invite links on all the above mentioned platforms. We do this by using boolean operators.
In the Twitter advanced search we can type the following search query and hit enter (1).
“teams.microsoft.com/l/meetup-join” OR “meet.jit.si” OR “zoom.us.j/” OR “meet.google.com/” OR “join.skype.com/” OR “bluejeans.com/” OR “bcwt.webex.com” OR “Gotomeet.me/”
Once the result get presented be sure to click on “latest” (2) to see only the most recent results. This will look something like this:
These are the basics of finding the video invite links. Now you can make your searches more targeted by filtering them by language for instance. Below an example for the same query but now we look for invite links written in the dutch language by using the lang: operator.
“teams.microsoft.com/l/meetup-join” OR “meet.jit.si” OR “zoom.us.j/” OR “meet.google.com/” OR “join.skype.com/” OR “bluejeans.com/” OR “bcwt.webex.com” OR “Gotomeet.me/” lang:nl
Another option could be looking for the same invite links but now the tweet has to contain the word password or pin in that exact same tweet. This way we could be able to target invite links that need a password or pin to gain access which are also openly shared within the same message.
“teams.microsoft.com/l/meetup-join” OR “meet.jit.si” OR “zoom.us.j/” OR “meet.google.com/” OR “join.skype.com/” OR “bluejeans.com/” OR “bcwt.webex.com” OR “Gotomeet.me/” password OR pin
By now i think you will get the idea how to find these invite links. And hopefully by now you know someone you might want to make aware of the risks involved by sharing these links. What if i added a company name to the invite url query? What if i added a school name? Other words like “town hall” or “weekly meeting” or “lunch meeting” are very common in these openly shared invite links.
For Google we can search in a almost similar way using “Google Dorks”. Although Google does a fairly good job on filtering out these invite links out of their index we are still able the find a fair amount of these, sometimes very sensitive, invite links.
But before i show a few examples we need to understand that we need to filter out some noise to get as targeted as possible results.
Because we are only looking for invite links that are shared by people online openly we need to filter out the source of the platforms. By this we will get only results coming from third party urls not being the urls coming directly from the source platforms. Below a example:
“teams.microsoft.com/l/meetup-join” OR “meet.jit.si” OR “zoom.us.j/” OR “meet.google.com/” OR “join.skype.com/” OR “bluejeans.com/” OR “bcwt.webex.com” OR “Gotomeet.me/” -site:microsoft.com -site:jitsi.org -site:zoom.us -site:google.com -site:skype.com -site:bluejeans.com -site:webex.com
After the results (1) get presented you could filter (2) them per last day, week or month (3) to make sure you will only get recent indexed results.This would look something like this:
With adding the -site:<domainname.com> operator we have made clear to google that we want to see what they have indexed about the invite links but we want to exclude every link coming from the host domain. This cuts out noise and gives high a higher relevance in our results.
Now we can ofcourse add additional keywords like we have seen in the twitter searches posted above. For example we can add password OR pin again.
Again this blog is not about the hard- and software this is about the weakest link in the cyberspace, the human.
With Covid19 making it mandatory for a lot of people to work from home and their natural social media habit sharing we get another subject that needs extra security awareness.
My point here was and still is be aware of what you share ! Is it necessary to share a picture from your working desktop? Is in necessary to show your home office? Have you thought of cleaning up your office desk and desktop screen to deny bad actors seeing sensitive or valuable information? What if that local Burglar took a look at the pictures you post from inside your home or office during the Corona quarantine? Now he knows what valuables are in your home, and when quarantine is over the Burglar has lots of opportunity to visit your house since you will be working at the company office gain.
So please stop sharing home office information in pictures and videos. Just take a look on ANY social media platform (Twitter, Instagram., Facebook) and look for one of these hashtags for example (filter the hashtags by picture or video for better results):
You will be amazed by the amount of sensitive information that is shared by people. Company emails on laptops, passwords on sticky notes, meeting notes, private pictures hanging on walls inside offices and many many more sensitive things.
And that’s it. Now you know how someone figured out your zoom meeting link and how they are able to videobomb the meeting. They used OSINT to target the invite links that were shared by YOU or your COMPANY openly on the internet and by that accessible for anyone.
So please DO share this blog and DO NOT share those video meeting invite links and pictures (or videos) from inside your home and home office desks.