Staggering: Zoom totally ignored security and privacy of customers

Get a free Techzine subscription!

Recently, there has been quite some commotion around the Zoom app for video conferencing, which is now widely used as a collaboration tool during the corona crisis. Several security leaks were found in the app, which sometimes seriously compromised the privacy of users. Because we sometimes couldn’t tell what was what anymore, we decided to create an overview.

Due to the increasing popularity of the app, a number of problems with Zoom‘s privacy and security surfaced. Some security researchers even advised to stop using the service altogether. The app’s users increased from 10 million to 200 million active users per day in March.

Several privacy issues

Privacy organisation Electronic Frontier Foundation (EFF) identified a number of issues with the app. For example, a meeting admin could track how well participants were paying attention, through a unique feature (which has luckily been disabled in the meantime). Also, meeting admins, and even just admins within a company, had access to recordings of calls. In addition, for each call, administrators were able to collect data from participants. This included what operating system they were using, what IP address, user location information, and information about participants’ devices. Moreover, Zoom has not yet stated anything about disabling these last two issues.

Another problem was the so-called Zoombombing, in which hackers took over video conferences to show pornographic or racist video material. These incidents can be prevented by disabling some settings for a call. Think of settings that allow file sharing without permission from administrators, or giving up control of your screen. The question is, of course, why these kinds of functions are turned on by default at all.

As the icing on the cake, the Zoom iOS app sent user data to Facebook. Zoom later deleted the relevant code, but the question is once again why that feature was there in the first place.

Weaknesses

Bleeping Computer reported that Zoom’s Windows client was vulnerable to hackers stealing passwords. The Intercept further revealed that calls are not encrypted from start to finish, while Zoom did claim that this was the case. Motherboard found out that the app leaked email addresses and photos of people if they were part of the same company. Especially at large companies, this can lead to strangers getting their hands on data.

Objective-See discovered that there were two zero-day bugs in Zoom that enabled hackers to install malware, should they gain control of the system. In that case the microphone and webcam can be taken over to record video.

Suspicious methods

A software engineer noticed online that Zoom’s client for macOS behaves in a way that is comparable to malware, where Zoom bypasses the standard installer of macOS. That, in itself, is not a reason to panic, as it only means that Zoom installs itself in a “different” way. It does, however, indicate clumsy code writing and does not help to put any of the other problems in a better light.

A report by The Citizen Lab also showed that video calls from Zoom were routed through Chinese networks. Encryption keys were issued in China as well, so all the power to intercept these calls was located in China. The link with China in itself is explainable by the fact that part of Zoom’s software development is outsourced to the country.

Security firm Check Point showed that the number of domain names registered under “Zoom” has risen by 25 percent last week, to about 17,000. These domains probably concern fraudulent websites, where the domain names should entice users to click on links. ZDnet reported that hackers are already forming groups on Discord, Reddit and online forums, to share information and tactics.

How does Zoom respond?

Eric Yuan, CEO of Zoom, has meanwhile apologised for all of the company’s mistakes in a blog post. Several steps are taken; for example, the company will freeze all functions for 90 days. Most of the abovementioned bugs have been fixed, Zoom’s bug bounty program will be improved, and the company will undergo a security assessment, performed by independent experts. In another blog post the problems with encryption were explained. From now on, Yuan will also host a weekly privacy review call, to be as transparent as possible.

EFF told The Next Web in a statement that people are rightly concerned about their privacy: “We’re troubled by reports that Zoom was sharing analytics data about users with Facebook. We still don’t know to what extent Zoom shares user information with other third parties.”

As far as we’re concerned, it’s not necessarily bad news that so many problems have been identified with the app, as this can only lead to improvement. If Zoom can deliver on all its promises, a much safer app will be created in the coming period. It is also true that the company is quite overscrutinised at this point, as the use of Zoom has exploded exponentially. It could well be the case that these kinds of problems will also surface in other collaboration services.

Update 15-04: Meanwhile, on top of the other problems, the login credentials of some 500,000 Zoom accounts were found on the dark web. E-mail addresses, passwords and meeting IDs were available for third parties. It has to be said that Zoom is probably not to blame, because there is a good chance that the data was captured in other hacks. Therefore, people mostly have a problem if they use the same combination of e-mail address and password on different services.

On the other hand, it has also been announced that Zoom is working hard to improve: meeting IDs have been removed from the title bar of the app, so that screenshots of those IDs can no longer be taken. Also, paying users can now choose through which servers their data traffic is routed. Zoom also announced that Chinese servers would no longer be used, even for free users.