Video conferencing service Zoom reportedly installs itself on Macs by working around Apple's regular security, and also promotes that it has end-to-end encryption, but demonstrably does not.
Increased usage of video conferencing app and service Zoom during the coronavirus outbreak is leading to more security issues being uncovered. As well as previously sending user data to Facebook, which it says it has fixed, it has now been accused of two separate security issues.
In one, it is reportedly working around Apple security to be installed, and in another it is purporting end-to-end encryption that it doesn't have.
Twitter user @c1truz_, technical lead for malware tracker VMRay, reports that Zoom's Mac app installer uses preinstallation scripts and allegedly displays a faked macOS system message.
Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M— Felix (@c1truz_) March 30, 2020
"This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste," continues @c1truz_, "The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges."
"[These are the] same tricks that are being used by macOS malware," he concludes.
AppleInsider has reached out to Zoom regarding the allegation but has yet to receive comment. Apple has not publicly commented either, but this accusation follows previous issues where Apple forced a macOS update on users in order to remedy a Zoom security problem.
Previously, another security workaround within the Zoom app meant that it was possible for websites to turn on user's cameras without permission. Initially, Zoom defended this as being a deliberate way to make video conferencing easier for users. It then backed down, and said it would remove the feature.
Before it did so, however, Apple intervened and used a forced silent update to macOS, the method by which it typically addresses malware.
Separately, The Intercept alleges that Zoom is claiming to have end-to-end encryption for its video conference calls, but does not.
Rather than truly end to end encryption, where the entire video chat can only be seen by the caller and his or her recipients, Zoom is reportedly doing what's called transport encryption. This makes the connection between the users and Zoom's servers encrypted, but doesn't prevent Zoom itself seeing the calls.
"In fact, Zoom is using its own definition of the term," The Intercept says, "one that lets Zoom itself access unencrypted video and audio from meetings."
A Zoom spokesperson confirmed this to The Intercept, responding that "currently, it is not possible to enable E2E encryption for Zoom video meetings."
"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point," the Zoom spokesperson continued.