Hacker News new | past | comments | ask | show | jobs | submit login
GoogleMeetRoulette: Joining random meetings (martinvigo.com)
371 points by yowie on Oct 4, 2018 | hide | past | favorite | 74 comments

I recently had a sales call with a potential vendor (they were a startup). They used the same number and meeting code for all of the meetings. I had accidentally called in about 10 minutes early and was dumped into another conversation, and heard the other potential customer talking. It was odd how insecure and weird it was. I think this is a potential issue for all meeting services.

I just checked and the meeting code is still valid, It was from a meeting from mid June 2018, using the zoom.us service. It's a meeting room/code assigned to a specific rep. Reused/resent to all leads.

Probably their "personal meeting room" -- Zoom makes it very easy to just use that for all of one's meetings. For intracompany use, I've used it, but I prefer to not use it for intercompany discussions, too much chance of leakage.

Yes that's correct, it was a personal meeting room for a salesperson. But don't you think it's odd that I can call into to any meeting for months on end? Or that someone could do that to you? We were talking to them about a partnership deal, and would of needed to sign a contract which included certain non-disclosures etc. Yet someone could just call in and listen?

Massive security hole. You could setup a bot constantly in the call and record all the conversations. It could be setup with a seemingly official name like "admin" or the name of the company, so any one looking at the live list of attendees would think it's a normal maintenance bot from either the company or the service.

It's possible the lock out the conference room from new attendees. Also as someone who drives conference calls, I would be sure to eject anyone who I did not know on the call... I monitor participants constantly.

I use zoom for interviews and run into the same issue using my personal room for back-to-back interviews. My solution is to enable the waiting room feature. This makes it so that people can call in, but need to be admitted to the actual room. This works well for the interviews. The problem is that it's a account wide setting and cannot be disabled for specific meetings. So now the is a problem of I set up the room for a recurring meeting and am out sick and forgot to disable the waiting room.

on our zoom, you can schedule a meeting, and it gets a one-time number

Slack integration. `/zoom meeting foo` — get a fresh meeting ID.

Yes, that would be a potential solution, but using the same room works exceptionally well with how the meetings get scheduled without going into too much detail.

I see two issues with that strategy. If you lock a meeting, people can't connect who may just be late, or if they disconnect accidentally, they can't reconnect. The second is most calls aren't webinars or organized events. These services get used by 1-on-1, 2-on-1 etc, smaller calls frequently. It could be difficult to stay engaged and be expected to diligently secure a call.

I don't think we'd expect this level of security to be acceptable for email access. It's really just a matter of enforcing a pin number, along with a meeting code.

I get an email if someone enters my personal waiting room. I would notice if someone I didn't know was logged in during a meeting.

I also mentioned it to the sales guy, but he was unfazed, which I think shows a lack of respect for customer privacy, even though he probably didn't realize it.

This is really unfortunate but all too common. Sales guys are typically (as a type/group) improvisational in nature. They actually thrive in insecure environments, because solving problems as they occur (i.e. putting off security for later) gives them more freedom and flexibility _right now_, which is what they crave. They tend to wonder "why are you using valuable money-making time to secure that which is constantly expanding--maybe we won't even need this system tomorrow" and so on.

(So goes the thinking; it obviously has its pros and cons...and HN readership eats these guys' psychology for breakfast anyway, with a generally systems-focused mindset)

Also, you can't know what you aren't taught.

You don't know what you don't know.

You keep responding to your own post. Curious why you thought this was appropriate or necessary.

The meeting/conferencing system at my workplace generates a unique code for each meeting. The major downside to this is that the codes are very long, twice as long as they'd need to be if we just assigned a code to every employee (which is what my last employer did)

> "I would claim that nobody pays attention or verifies that there are no unexpected attendees before starting a meeting, specially for longer ones."

I know for our work Skype for Business meetings we interrogate unidentified guests and boot them if they fail to appropriately identify themselves.

I have thought that long running recurring meetings is a security risk because of the use of the same pin

When you have a long list of attendees in a large organization, it's almost impossible to do that with everyone.

To use calculus as an analogy, as the number of people in your meeting approaches infinity, the confidentiality of that meeting approaches 0 anyway. You may still verify everyone's identity, but someone is going to be leaking enough information that it's close enough to just having a lurker who shouldn't be there.

A more cynical person might suggest the limit is approached as the number of participants approaches two...

"Three may keep a secret if two of them are dead." -- Benjamin Franklin

Could add breaks where key information is given that's slightly different for each participant.


How about a security feature designed by old computer game aficionados? Every fifteen minutes there's an enforced break. Hold music begins playing. After a moment the music fades and a synthesized voice says "Turn to page...23...of your employee manual. In the...third...paragraph, note the...first...word. Enter the first three letters of that word using the keys on your touchtone phone, and you will rejoin the meeting."

Unless you can ensure that everyone on the meeting is an authenticated user or was a approved to join by one.

No what I'm saying is with enough people, even if you authenticate everyone, one of them will violate confidentiality anyway. I've been in meetings where there was no teleconferencing of any kind, but sure enough the decision was leaked before being official anyway. As you get more an more people (or as you get enough people that the above solutions are considered unscalable) that approaches inevitability.

Do you happen to know if there are any published studies on this? I'd find it particularly interesting how well this number (curve) correlates with Dunbar's Number.

I don't. Hadn't even heard of Dunbar's Number and had to Google it :) I would imagine, though this is pure speculation, that it's highly variable and hard to measure accurately since most leaks are hard to pinpoint. Probably depends on company culture, nature of the deal, etc. I just think that if you're at the scale that verbally confirming who has dialed in via insecure means is unscalable, you're likely enough to be past this limit that you should be taking other countermeasures anyway.

> hard to measure accurately since most leaks are hard to pinpoint.

Pinpointing the source isn't necessary, though, only knowing that the leak occurred and the approximate number of people "in on it". Even limiting this to leaks to the media for information shared at company meetings (so the number of people is equal to the number of employees) could provide interesting data, assuming a large enough sample size (and that leaks are numerous enough).

That was a wonderful read, thank you.

The post mentions that Google made some fixes and reverted them due to customer complaints, do we know what those fixes were? Have they fixed the issue?

It looks like they fixed the brute forcing PIN issue. When I set up a new meeting, the phone in PIN is 9 digits long (compared to the 4 mentioned in the article)

However it seems the recurring meeting number+pin doesn't change. I feel this is a better UI, and only a minor risk with an easy workaround - update the meeting - which you would probably do anyway to remove the attendee who is no longer included

I just tested this since we use google meet. You can open an existing calendar event and remove the google meet details and recreate them. Seems to give you all new PIN and meet address.

I can't be the only one that thought many meetings could be improved by a random person joining a meeting and asking some obvious questions from outside the company bubble.

Reading the title I had the complete opposite expectations. Thinking that he is talking about a system where you want to have meeting with random people to talk about business.

What I'd love for every voice conference was an online screen with a list of everyone dialled in (caller Id based). It would be good for security but even better would be a little noise level meter on each line so you can see which %%%%er is heavy breathing all the time.

(also a choice of on hold music would be nice but that is just dreaming)

Zoom does that - I stopped using my voice-only conference line and use zoom even for voice only calls because of things like that. It’s nice to be able to mute the guy ordering Panera during my calls...

I think UberConference does all of that.

Yup. Uberconf is my go-to, and they have a decent free tier.

Caller ID is not secure, an attacker can spoof any phone number they want.

Pretty sure meet does all of that minus the hold music..

I do this all the time with BlueJeans. If you mute your speaker and mic, the other party doesn’t even easily know you’ve joined.

Most of the times, random codes failed but once I managed to accidentally dial in into a Facebook meeting.

Fun times!

Slightly OT, do you have to be on Gsuite enterprise to get intl dial in numbers to show up? It'd be great to have that but it just shows US numbers for me in the UK.

Yes, and that's really unfortunate. Doubling the cost of G Suite to get intl numbers is a hard sell, but US numbers basically make the feature completely unavailable for many people.

It's actually 5x the cost. $25 vs $5/month for basic.

Felt just like reading about Kevin Mitnicks adventures. Such a brilliant piece of work this.

how much was the bounty for something like this?

Article mentions "ELEET" which I assume means their $1,337 bounty.

Well, eleet would be $31337.-

However in Google's case their top bounty is $3133.70

I got 3,133.70 :)

Why would there be a bounty on basically a brute force attack?

Felt legit to me. Sites can, should, and do take steps to mitigate brute force attacks, his approach showed some shortcomings in those steps, e.g. they already only allow 3 bad PINs per call, but he showed that by hanging up immediately after the 3rd bad PIN they make it relatively trivial for the attacker to detect the failure. He also demonstrated that due to the partial phone number masking in the UI the attack could be done from an apparently trusted phone number.

Because it was effective and he told them?

You have a point, I wasn’t expecting a bounty at all. I believe they valued the additional proposed attack vectors, the detailed report and highliting a number of issues that could be fixed to hardening the service. I found that Google values researches and reports beyonf RCEs

Probably because no google engineer recognized it as an attack vector.

Why should any service allow a brute force attack? I can't brute force my bank pin, and I can't brute force my google password.

Because combining some smart/interesting methods make the brute force viable in a small enough time frame.


That's not what the article is about though. It's about brute forcing yourself into someone else's meeting.

No chance of sexual misconduct there.

Did you read the piece? This isn't a tool that you can use to join random meetings for entertainment or whatever - it's a vulnerability disclosure which has already been fixed by Google.

Did you read the piece?

Betteridge's law of Internet Comments in action.

I'm intrigued by this idea of random-socialization online. Obviously the sites like this have thus far catered more towards sexual content, but I feel like there's huge potential for online streaming socialization that Twitch and Discord haven't fully tapped. I can't put my finger on what, but there have been nights I just want to hop online and meet random strangers to talk about common interests about. Kind of like going to a bar to meet people, but with a higher chance that they'll be interested in the same things as you, so a cross between going to a bar and coming to HN to discuss interesting things.

I believe you are responding to the tongue-in-cheek title, and not to the article (which is about a security hole in Google Meet).

Well shit. Yeah usually I read the article first but the title got me so excited that I wrote the comment because that topic really fascinates me. Oh well. Thanks for pointing it out.

ICQ used to have this in the late 90's. You could find random people on the network based on what they filled out in their profile and start chatting with them. I live in Europe and made a friend in South Africa that way, who I ended up visiting a few years later.

Of course, you couldn't do this nowadays because abusive people would show up and ruin it for everyone. I don't know why they didn't back then.

> Of course, you couldn't do this nowadays because abusive people would show up and ruin it for everyone. I don't know why they didn't back then.

People who had early access to Internet (or any tech) were more likely to be nerds.

I don't think you can explain this by simply categorizing people. You can find more than a few stories of nerds being abusive to other people.

I think initially the Internet brought people closer together. It was like ham radio - you could connect with people in a relatively small but very distributed community of hobbyists and experts. Once everyone joined and it became ubiquitous, it's had the opposite effect - it's replaced most of our social interactions but there's an increased anonymity and social separation.

> I don't think you can explain this by simply categorizing people

I was not trying to categorize people, but I was trying to abstractly point out how this might happen, but I used a "category" to explain it simply.

> I think initially the Internet brought people closer together. It was like ham radio - you could connect with people in a relatively small but very distributed community of hobbyists and experts. Once everyone joined and it became ubiquitous, it's had the opposite effect - it's replaced most of our social interactions but there's an increased anonymity and social separation.


"nerds" is just a type of social circle, who're also the initial adopters of a tech, you don't want to be an outcast by doing something that is not "nerdy" in the early stages, because it is easily noticeable by other nerds of that tech. When the social circle expands to potentially bring in other types of social circles (by going mainstream) and becomes (pseudo)anonymous, you'll obviously find a large variation of (acceptable) behaviors among the different social circles, which may or may not overlap with each other.

> You could find random people on the network based on what they filled out in their profile and start chatting with them.

In my case not ICQ, but a local messaging app had this feature as well. When I have moved to a new city a girl who has also recently moved there has found me by age and location. We've been married for 13 years now :)

Another I remember from that era was Microsoft Netmeeting.. there was an screen with a list of all users and their status online/offline and you could call a random stranger.

Another thing I remember about this is that I could make unlimited calls to land lines in the United States from my country. Pretty interesting for a 12 years old kid.

Indeed! I actually started reading this expecting a new product for random meetups on interesting topics; the actual topic was also interesting.

The concept is intriguing, at least if one could keep it on real meeting topics which could have a world of interest and discovery (vs 4chan-ish foolery, of which there is already plenty available)

WeChat has a shake feature that pairs you with some one who supposedly is shaking as well. Who knows how well it really works. Seems like I always get paired with Saudi Arabia.

The whole country?!

No just this one dude, Mohammed bin something. All he does is talk about cars and bitch about his dad. Apparently his dad is some big shot.

Omegle? You specify your interests and then get matched with a stranger

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact