Google Meet Flaw — Join Any Organisation Call (Not an 0day but still acts as 0day) — Refused by GoogleVRP

Hi everyone Myself Basavaraj Banakar .

Without wasting time we will jump in to the matter.

Issue Background : Google Meet is a popular video conferencing tool used by many organizations for virtual meetings and online collaboration. However, a recent vulnerability has been discovered by me that allows unauthorized individuals to join a meeting without an invitation. This vulnerability acts like a zero-day exploit, even though it is not technically considered one.

Note: I am not responsible for any targeted attacks, This is just for educational purpose and to notify organisations about this issue.

The impact of this vulnerability can be severe for organizations that use Google Meet for daily basis, confidential or sensitive meetings. Unauthorized individuals may be able to eavesdrop on discussions, or disrupt the meeting. In some cases, they may even be able to impersonate a legitimate attendee and participate in the meeting as if they were authorized to do so.

This is an very easy issue, I am not sure why this issue is not pointed out by anyone earlier.

Normal flow of the Google meet:

1. Create an meeting(Done by host).
2. Share the meeting Link to Users/Employees(Via invite).
3. Users/Employees Join the call via invite link or If the user is not invited he has to be admitted by Host of the meeting .

But where Issue lies?

Have you ever noticed the feature i.e joining the meeting by telephonic call and the issue lies here.

Created an meeting using basavaraj@seciqtech.com email address

As far as we know, if we want to join the uninvited meetings, Meeting host should admit the user.

Here, we only need the meeting link of an organization. With the link, we can join the organization’s meeting using a telephone call without any admission or invitation.

Steps :

1. I got the meeting link of an organisation i.e. https://meet.google.com/jyq-duuk-kmx
2. If I want to join the meeting though web I need to be admitted by meeting host.
3. Now I will navigate to https://meet.google.com/tel/jyq-duuk-kmx .

Here we got the meeting Pin and Number as an unauthenticated user

4. Now I will use the same number and pin generated by the meeting ID to join the meeting via telephonic call. i.e Phonenumber;Pin#

Calling the number to join the meeting via telephonic call

5. Successfully joined the call.

Joined the meeting via telephonic call

6. Verified from web also(From meeting host).

Confirmed by meeting host

Here are the Lame/Unwanted Responses from Google VRP after reporting this issue to them.

1st response

2nd Response after adding additional impact (Does it makes sense?, Turning off dial in for whole org on behalf of single attacker or does it fix the issue?)

My additional comment for the 2nd Response

Final response after so many conversations

I think that’s it. Please ignore if you found any grammatical mistakes. If you found this as not an security issue let me know in comments. If you think this is an issue then lets reach this to sundar pichai 😂

Follow me on :

Twitter : https://twitter.com/basu_banakar/

Instagram: https://www.instagram.com/basu_banakar/

Linkedin: https://www.linkedin.com/in/basubanakar/