Two more macOS Zoom flaws surface, as lawsuit & government probe loom
As New York launches a probe and a class action lawsuit is levied against video conferencing app Zoom, a security researcher has discovered two vulnerabilities in its macOS client.
Zoom has become wildly popular in the midst of the COVID-19 pandemic, despite its questionable security and privacy reputation. And now, when more and more users are turning to the app for work meetings or chats with friends, hackers and governments are raising new concerns about the platform.
Patrick Wardle, a macOS security researcher and former hacker for the National Security Agency, has uncovered two new local security vulnerabilities in the latest version of the Mac Zoom client.
The first flaw relies on the "shady" way that Zoom installs itself on a Mac, which we've previously covered. By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer — the highest level of privilege.
The second flaw, which is arguably more concerning, allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
While local exploits like these typically require physical access to a computer, they're usually much more common and difficult to prevent should the rest of the criteria that are needed are fulfilled.
This isn't Zoom's first security blunder, either. In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.
Along with the security flaws, Zoom has also recently caught flack for its privacy practices. Earlier in March, Motherboard found that the Zoom for iOS app was sending off user data to Facebook, even if users didn't have a Facebook account.
While Zoom has since removed that "feature," New York has opened an investigation into the app and a class-action lawsuit has been lodged in California.
The class action, filed in the U.S. District Court for the Northern District of California, alleges that Zoom gave personal user information to third parties without being explicitly clear about the data-sharing practices, CBS News reported. New York Attorney General Letitia James has also launched a probe into Zoom's privacy policies.
In a separate development, Zoom may also be inadvertently leaking user email addresses and photos to complete strangers, according to Motherboard.
This appears to be happening, because Zoom treats all email addresses with "non-standard providers" (Gmail, Yahoo or Hotmail) as single companies. Users with those non-standard addresses are able to see the full names, profile pictures and statuses of other users with the same email provider. They're also able to start video chats with those users.
On Tuesday, The Intercept also alleged that Zoom was misleading customers by claiming that video calls were end-to-end encrypted. They aren't. Instead, Zoom is using transport encryption, which encrypts the connection but doesn't hide calls from Zoom itself.