Popular video conferencing app Zoom has come under fire for numerous security flaws in the last few days, and has now issued a public apology plus a plan of action for resolving the issues.
The announcement came in a blog post released to Zoom's website on April 1 and attempts to mitigate some of the bad press the company has received over the last two weeks.
The blog post serves a few purposes. The first is to act as a repository to previously acknowledged issues, citing that the company has been working to fix security issues as they arise. The announcement also explains what the company has been working on, including an extensive section on Zoom's role in elementary and secondary classrooms.
The second purpose of the blog is to outline the company's plan of action for addressing ongoing issues. The Zoom team is giving themselves 90 days to fix existing problems.
In those 90 days, Zoom is enacting a feature freeze — no further development will happen on Zoom products until security issues have been resolved. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.
Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." They plan on preparing a transparency report to handle requests for data, records, and content. The company plans on hosting a weekly webinar to provide security updates to Zoom users.
"We are actively investigating and working to address these issues," A Zoom representative told AppleInsider in an email. "We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.
13 Comments
And those are just the (numerous) Zoom security failings on Apple's platform.
There's a different, and arguably worse, problem on Windows that allows an attacker to steal user credentials using Zoom.
Now that people are actually using it what with the quarantine all the security flaws are coming to fore.
Here is a direct link to the twin blog post from yesterday that focuses on the question of encryption:
So don't record your meeting if you don't want Zoom to decrypt it midstream. If I'm parsing this correctly, it reads: "There is a back door, but we don't use it. Unless you want to record your meeting."https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
The two bolded sections are as follows:
And will Zoom actually “fix” the security issues or just “dodge & weave” like FaceCrook does? I sincerely have my doubts that this program / service would ever be trustworthy enough without serious expert reviews. It seems to me to be as shady as Zuckerberg and his apologizing for all the privacy issues In FaceCrook that “we weren’t as clear as we thought. We’re sorry, we’ll clean this up.”
Someone at my wife's school had a big problem when they attempted to use Zoom the first time for class online recently. One of the students (with malicious intent) published the meeting ID a few days earlier on some social media platform inviting anyone to crash the meeting and it snowballed -- something like 1000 undesirables joined the meeting and were extremely disruptive. The teacher had to end the meeting and that classroom session was effectively cancelled.
That event was not so much a Zoom security failure but an overall design point that is missing. I imagine what is needed are unique user invites -- the unique ID can only be used by a single Zoom userid. It would be additional overhead for the meeting organizer but it would enhance meeting confidentiality. I can't think of any other decent solutions that don't require something like VPN access which would be tough to get working for a diverse set of middle/high school students that use a variety of devices. Any other ideas out there?