UPDATED April 3 with additional issues.
UPDATED with details of blog post by Zoom's founder and CEO spelling out fixes Zoom has made and pledge to lock down development for 90 days to find and fix security and privacy flaws, and with blog post by Zoom's chief product officer regarding Zoom's use of end-to-end encryption.
Are you using Zoom yet? It seems that everyone in America who's been forced to work, or do schoolwork, from home during the coronavirus lockdown is using the video-conferencing platform for meetings, classes and even social gatherings.
There are good reasons Zoom has taken off and other platforms haven't. Zoom is easy to set up, easy to use and lets up to 100 people join a meeting for free. It just works.
But there's a downside. Zoom's ease of use makes it easy for troublemakers to "bomb" open Zoom meetings, and for hackers to inject malware into a machine running Zoom. There's also been a lot of scrutiny about Zoom's privacy policy, which until recently seemed to give Zoom the right to do whatever it saw fit with any user's personal data.
Given the soaring usage of the Zoom platform during the coronavirus lockdown, and the near-doubling of its stock price since the beginning of February, Zoom has come under intense scrutiny from security professionals and privacy advocates. And boy, have they found stuff.
We've already mentioned that anyone can "bomb" a public Zoom meeting if they know the meeting number, and then use the file-share photo to post shocking images, or make annoying sounds in the audio. The FBI even warned about it a few days ago.
The host of the Zoom meeting can mute or even kick out troublemakers, but they can come right back with new user IDs. The best way to avoid Zoom bombing is to not share Zoom meeting numbers with anyone but the intended participants. You can also require participants to use a password to log into the meeting.
STATUS: There are easy ways to avoid Zoom bombing, which we go through here.
Zoom meetings have side chats in which participants can sent text-based messages and post web links.
But according to Twitter user @_g0dmode and Anglo-American cybersecurity training firm Hacker House, Zoom makes no distinction between regular web addresses and a different kind of remote networking link called a Universal Naming Convention (UNC) path.That leaves Zoom chats vulnerable to attack.
If a malicious Zoom bomber slipped a UNC path to a remote server that he controlled into a Zoom meeting chat, an unwitting participant could click on it.
The participant's Windows computer would then try to reach out to the hacker's remote server specified in the path and automatically try to log into it using the user's Windows username and password.
The hacker could capture the password "hash" and decrypt it, giving him access to the Zoom user's Windows account.
UPDATE: Yuan's blog post says Zoom has now fixed this problem.
STATUS: Fixed, apparently.
Mohamed A. Baset of security firm Seekurity said on Twitter that the same flaw also lets a hacker insert a UNC path to a remote executable file into a Zoom meeting chatroom.
If a Zoom user running Windows clicks on it, a video posted by Baset showed, the user's computer will try to load and run the software. The victim will be prompted to authorize the software to run, which will stop some hacking attempts but not all.
STATUS: If the UNC filepath issue is fixed, then this should be as well.
Until last week, Zoom sent iOS user profiles to Facebook as part of the "log in with Facebook" feature in the iPhone and iPad Zoom apps. After Vice News exposed the practice, Zoom said it hadn't been aware of the profile-sharing and updated the iOS apps to fix this.
STATUS: Fixed.
Zoom claims that its meetings use "end-to-end encryption" if every participant calls in from a computer or a Zoom mobile app instead of over the phone.But under pressure from The Intercept, a Zoom representative admitted that Zoom's definitions of "end-to-end" and of "endpoint" is a bit different from everyone else's.
"When we use the phrase 'End to End'," a Zoom spokeperson told The Intercept, "it is in reference to the connection being encrypted from Zoom end point to Zoom end point."
Sound good, but the spokesperson clarified that he counted a Zoom server as an endpoint. Every other company considers a user device -- a desktop, laptop, smartphone or tablet -- as an endpoint, but not a server.
In other words, the data is encrypted when it travels from a Zoom client application on a computer or mobile device (an endpoint, in networking lingo) to a Zoom server, or vice versa.It's decrypted at the server, and Zoom can see and hear it.
Every other company uses "end-to-end" to mean fully encrypted from one endpoint to another. When you send an Apple Message from your iPhone to another iPhone user, Apple's servers help the message get from one place to another, but they can't read the content.
Not so with Zoom. It can see whatever is going on in its meetings, and it pretty much has to in order to make sure everything works properly. Just don't believe the implication that it can't.
UPDATE: In a blog post April 1, Zoom Chief Product Officer Oded Gal wrote that "we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. "
"We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," he wrote.
Gal assured users that all data sent and received by Zoom client applications (but not regular phone lines, business conferencing systems or, presumably, browser interfaces) is indeed encrypted and that Zoom servers or staffers "do not decrypt it at any point before it reaches the receiving clients."
However, Gal added, "Zoom currently maintains the key management system for these systems in the cloud" but has "implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings."
The implication is that Zoom doesn't decrypt user transmissions -- but because it holds the encryption keys, it could if it had to.
For those worried about government snooping, Gal wrote that "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list."
And he added that companies and other enterprises would soon be able to handle their own encryption process.
"A solution will be available later this year to allow organizations to leverage Zooms cloud infrastructure but host the key management system within their environment."
STATUS: This is an issue of misleading advertising rather than an actual bug. We hope Zoom stops using the term incorrectly.
We learned last summer that Zoom used hacker-like methods to bypass normal macOS security precautions. We thought that problem had been fixed along with the security flaw it created.
But a series of tweets March 30 from security researcher Felix Seele, who noticed that Zoom installed itself on his Mac without the usual user authorization, reveals that there's still an issue.
"They (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed)," Seele wrote.
"The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware."(Seele elaborated in a more user-friendly blog post here.)
Zoom founder and CEO Eric S. Yuan tweeted a friendly response.
"To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others," Yuan wrote. "Your point is well taken and we will continue to improve."
UPDATE: In a new tweet April 2, Seele said Zoom had released a new version of the Zoom client for macOS that "completely removes the questionable 'preinstall'-technique and the faked password prompt."
"I must say that I am impressed. That was a swift and comprehensive reaction. Good work, @zoom_us!" Seele added.
STATUS: Fixed.
Plenty of "others" could indeed use Zoom's dodgy installation methods, renowned Mac hacker Patrick Wardle said in a blog post March 30.
Wardle demonstrated how a local attacker -- such as a malicious human or already-installed malware -- could use Zoom's magical powers of unauthorized installation to "escalate privileges" and gain total control over the machine without knowing the administrator password.
Wardle also showed that a malicious script installed into the Zoom Mac client could give any piece of malware Zoom's webcam and microphone privileges, which do not prompt the user for authorization and could turn any Mac with Zoom installed into a potential spying device.
"This affords malware the ability to record all Zoom meetings, or simply spawn Zoom in the background to access the mic and webcam at arbitrary times," Wardle wrote.
UPDATE: Yuan's blog post says Zoom has fixed these flaws.
STATUS: Fixed.
Zoom automatically puts everyone sharing the same email domain into a "company" folder where they can see each other's information.
Exceptions are made for people using large webmail clients such as Gmail, Yahoo, Hotmail or Outlook.com, but not apparently for smaller webmail providers that Zoom might not know about.
Several Dutch Zoom users who use ISP-provided email addresses suddenly found that they were in the same "company" with dozens of strangers -- and could see their email addresses, user names and user photos.
STATUS: Unknown.
Several privacy experts, some working for Consumer Reports, pored over Zoom's privacy policy and found that it apparently gave Zoom the right to use Zoom users' personal data and to share it with third-party marketers.
Following a Consumer Reports blog post, Zoom quickly rewrote its privacy policy, stripping out the most disturbing passages and asserting that "we do not sell your personal data."
STATUS: Unknown. We don't know the details of Zoom's business dealings with third-party advertisers.
Does all this mean that Zoom is unsafe to use? No.
You just need to be aware that the Zoom software creates a huge "attack surface," as security professionals like to say, and that hackers are going to try to come at it every way they can. They're already registering lots of Zoom-related phony domains and developing Zoom-themed malware.
The upside is that if lots of flaws in Zoom are found now and fixed soon, then Zoom will be the better -- and safer -- for it.
"Zoom will soon be the most secure conferencing tool out there," wrote tech journalist Kim Zetter on Twitter April 1. "But too bad they didn't save themselves some grief and engage in some security assessments of their own to avoid this trial by fire."
In a blog post April 1, Zoom CEO and founder Eric S. Yuan acknowledged Zoom's growing pains and pledged that all regular development of the Zoom platform would be put on hold while the company worked to fix security and privacy issues.
"We recognize that we have fallen short of the community's -- and our own -- privacy and security expectations," Yuan wrote, explaining that Zoom was originally developed for large businesses that had in-house IT staffers who could set up and run the software.
"We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived," he said. "These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones."
To deal with these issues, Yuan wrote, Zoom would be "enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues."
Among other things, Zoom would also be "conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases."
Privacy researcher Patrick Jackson noticed that Zoom meeting recordings saved to the host's computer generally get a certain type of file name. So he searched unprotected cloud servers to see if anyone had uploaded Zoom recordings and found more than 15,000 unprotected examples, according to The Washington Post. Jackson also found some recorded Zoom meetings on YouTube and Vimeo.
This isn't really Zoom's fault. It's up to the host to decide whether to record a meeting, and Zoom gives paying customers the option to store recordings on Zoom's own servers.
If you host a Zoom meeting and decide to record it, then make sure you change the default file name after you're done.
STATUS: Not really Zoom's problem, to be honest.
You can find open Zoom meetings by rapidly cycling through possible Zoom meeting IDs, a security researcher told independent security blogger Brian Krebs.
The researcher got past Zoom's meeting-scan blocker by running queries through Tor, which randomized his IP address. It's a variation on "war driving" by randomly dialing telephone numbers to find open modems in the dial-up days.
The researcher told Krebs that he could find about 100 open Zoom meetings every hour with the tool, and that "having a password enabled on the [Zoom] meeting is the only thing that defeats it."
STATUS: Unknown.
Two Twitter users pointed out that if you're in a Zoom meeting and use a private window in the meeting's chat app to communicate privately with another person in the meeting, that conversation will be visible in the end-of-meeting transcript the host receives.
STATUS: Unknown.
Today's best Webcams deals
Creative Labs 73VF070000000...
Microsoft 6CH-00001 LifeCam...
New Logitech HD Pro Webcam...
Logitech C920 Webcam - 30 fps...
Read the rest here:
Zoom privacy and security issues: Here's everything that's wrong (so far) - Tom's Guide
Read More..