To Zoom or not to Zoom: is the app out-of-control and unsafe?
Experts are uncovering more and more security breaches in the Zoom app, while the company is regrouping to sustain the growing user base.
With the COVID-19 outbreak and more businesses moving their operations to home offices, the number of active daily Zoom users skyrocketed from 10 million to 200 million, according to the company’s CEO Eric Yuan. Now people all around the globe are using the video conferencing application to study, train, party and have work meetings in weird but comfy combinations of office shirts and pajama pants. But experts have already pointed out several security issues in the app before, so is Zoom capable of ensuring a safe user experience for its growing audience? Apparently, not really.
For example, recent reports identified a vulnerability that allowed cybercriminals to steal Windows credentials and even execute commands on victims’ computers by sharing malicious links in the Zoom chat. The company released an update on April 1 claiming to patch this issue.
Vulnerability to 'UNC path injections' was confirmed by researchers Matthew Hickey and Mohamed Baset. The previous version of Zoom for Windows supported remote UNC paths converting potentially insecure URIs into hyperlinks. Using the SMBRelay technique it was possible to make Windows automatically expose a user's login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it.
This vulnerability could be used further to launch programs and execute arbitrary commands, which was pointed out by Google security researcher Tavis Ormandy. That type of attacks were possible because the browsers operating on Windows save downloaded files in a specific folder by default, which can be used to make the user download the batch script and trigger it with the Zoom bug.
Two other breaches were highlighted by a security researcher Patrick Wardle. They allow hackers to get access to the operating system of Mac computers, install malware, tap into the webcam and microphone. Zoom also claims to have fixed both bugs in their latest update.
First of all, he demonstrated how a person having physical access to a computer but limited user privileges can get to the “root” or highest user privileges by injecting the Zoom installer with malicious code. This opens possibilities to further running malware or spyware secretly.
The second Mac flaw allowed to inject code to trick Zoom into giving the hacker the same access to the webcam and microphone that the app already had.
Other recently handled issued include unnecessary data disclosure by LinkedIn Sales Navigator App and transferring data to Facebook without user consent.
One serious vulnerability still remains unresolved. Despite the initial statements on providing end-to-end encryption, Zoom does not offer it and is unable to do so at the moment. In fact, the app uses Transport encryption or Transport Layer Security (TLS) protocol which secures the connection between a user and the server they are connected to. To put it shortly, while other users can’t access each other’s data, Zoom can still do it.
Weaknesses of the app led to the rise in a very disturbing social phenomenon — ‘Zoom-bombing’ or ‘Zoom raids’. Trolls share public Zoom conference codes on Reddit, 4Chan, Discord, Twitter or Instagram and harass the meeting participants with pranks, threats, pornographic and offensive materials.
img source: ZDnet
To address this crisis, the company announced that the team is taking a 90-day period ‘dedicating the resources needed to better identify, address, and fix issues proactively’.
Meanwhile, experts recommend to be cautious when using the instrument and consider avoiding it altogether. But if you or your company continues to use Zoom nonetheless, here are a couple of things to keep in mind:
Click on the links in Zoom chats only from trusted sources.
Do not share links to your events openly on social media.
Avoid generating codes for public events using your Personal Meeting ID (PMI). Generate random meeting IDs. Otherwise, once hijackers get access to your individual channel, they might continue randomly attacking it.
Consider protecting your meetings with passwords.
If applicable, use the ‘meeting room’ feature that allows you to pre-approve the conference members.
Zoom also shared other tips, including disabling “Join Before Host” and “Allow Removed Participants to Rejoin” features, ‘locking’ the meeting, disabling file transfer, and limiting attendees’ screen sharing.
Do you want to learn more about the growing threats and best methods of preventing cyber-attacks during the pandemic? Read another material from Breach Report here.