Security snafus exhumed amid Zoom boom
Image credit: Dreamstime
Video conferencing service Zoom faces mounting scrutiny over its security practices as new vulnerabilities are unearthed almost daily. These include inadvertently leaking users’ personal information to other users and allowing hackers to steal users’ Windows login credentials.
Zoom usage has exploded in both personal and professional use – including by governments and legislatures – over the past few weeks as the coronavirus pandemic forces people around the world into isolation. It is currently the most popular app on the App Store and Play Store and the company's share price has doubled since January.
However, with this unexpected surge in popularity has come serious scrutiny about the app's security practices.
Vice’s Motherboard has reported that Zoom has been inadvertently leaking users’ email addresses and profile pictures to other users with the same email provider. This is due to Zoom treating all email addresses with “non-standard providers” as single entities within a company directory. As a result, people are automatically added to the contact list of others who use the same email domain.
As a result of this, users with these email addresses can see the full names, profile pictures and status of other users with the same provider, and start video chats with them (although the user still needs to accept the call for it to begin). The issue affects many thousands of people using anything other than the most common email providers.
Zoom says on its website: “By default, your Zoom contacts directory contains internal users in the same organisation, which are either on the same account or whose email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com etc) in the Company Directory section.”
Zoom has since blacklisted the domains explicitly mentioned in the Motherboard report.
Meanwhile, Zoom has also been accused by researchers of allowing bad actors to steal Windows OS credentials by sending targets a string of text representing their network location on the device they are using. The Zoom app automatically converts these strings into links which, if clicked on, will send the target’s Windows usernames and corresponding NTLM hashes (which can be converted into a plain-text passport) to the address in the link. This allows the attacker to access shared network resources, such as Outlook servers.
Security researcher Matthew Hickey told ArsTechnica: “It’s quite a shortcoming from Zoom. It’s a very trivial bug. With more of us working from home now, it’s even easier to exploit that bug.”
Zoom told ArsTechnica that it was working to address the issue.
Earlier this week, a Californian Zoom user filed a class action lawsuit against Zoom, claiming that its sharing of some user data with Facebook was unlawful. The FBI also joined the Zoom pile-on recently, warning about the growth of “Zoombombing” - the practice of entering meetings without password protection and disrupting them, often with pornographic or hate imagery.
Zoom has also proved a particular concern for Mac users, with reports emerging in recent days that a vulnerability could force Mac users with Zoom installed to join Zoom meetings with their cameras automatically activated, as well as allowing hackers to access root access to their targets’ computers.
As Zoom wrestles to stay on top of this mounting heap of security flaws, whilst still supporting its rapidly-growing user base, some high-profile organisations are starting to turn their back on the service. Nasa prohibits its employees from using Zoom, while Elon Musk’s rocket company SpaceX has also banned its employees from using the service.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.