Zoom privacy and security issues: Here’s everything that’s wrong (so far) – Tom’s Guide

Are you using Zoom yet? It seems that everyone in America who's been forced to work, or do schoolwork, from home during the coronavirus lockdown is using the video-conferencing platform for meetings, classes and even social gatherings.

There are good reasons Zoom has taken off and other platforms haven't. Zoom is easy to set up, easy to use and lets up to 100 people join a meeting for free. It just works.

But there's a downside. Zoom's ease of use has made it easy for troublemakers to "bomb" open Zoom meetings. Information-security professionals say Zoom's security has left a lot of holes open, although it's getting better.

There's also been a lot of scrutiny about Zoom's privacy policy, which until recently seemed to give Zoom the right to do whatever it saw fit with any user's personal data.

That's created a backlash against Zoom. On April 6, New York City public schools moved to ban Zoom meetings, and other school systems did the same, although Singapore now seems to be reversing its ban on Zoom for distance-learning.

With this ton of issues, people are looking for other options, so check out our Skype vs Zoom face-off to see how an old video app has adapted for video conferencing. We've also compared Zoom vs Google Hangouts as well.

Does all this mean that Zoom is unsafe to use? No.

Unless you're discussing state or corporate secrets, or disclosing personal health information to a patient, Zoom should be fine to use. Just ask that meeting participants sign in with a password.

For school classes, after-work get-togethers, or even workplace meetings that stick to routine business, there's not much risk in using Zoom. Kids will probably continue to flock to it, as they can even use Snapchat filters on Zoom.

You just need to be aware that the Zoom software creates a huge "attack surface," as security professionals like to say, and that hackers are going to try to come at it every way they can. They're already registering lots of Zoom-related phony domains and developing Zoom-themed malware.

The upside is that if lots of flaws in Zoom are found now and fixed soon, then Zoom will be the better -- and safer -- for it.

"Zoom will soon be the most secure conferencing tool out there," wrote tech journalist Kim Zetter on Twitter April 1. "But too bad they didn't save themselves some grief and engage in some security assessments of their own to avoid this trial by fire."

In a blog post April 1, Zoom CEO and founder Eric S. Yuan acknowledged Zoom's growing pains and pledged that regular development of the Zoom platform would be put on hold while the company worked to fix security and privacy issues.

"We recognize that we have fallen short of the community's -- and our own -- privacy and security expectations," Yuan wrote, explaining that Zoom had been developed for large businesses with in-house IT staffers who could set up and run the software.

"We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived," he said. "These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones."

To deal with these issues, Yuan wrote, Zoom would be "enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues."

Among other things, Zoom would also be "conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases."

Zoom now requires passwords by default for most Zoom meetings, although meetings hosts can turn that feature off. Passwords are the easiest way to stop Zoom bombing.

And on April 8, former Facebook and Yahoo chief security officer Alex Stamos said he would be working with Zoom to improve its security and privacy. Stamos is now an adjunct professor at Stanford and is highly regarded within the information-security community.

To keep ourselves (and you) sane, we're putting the most recent Zoom privacy and security issues up top and separating the problems into those that are open or unresolved, those that have been resolved and those that don't fit into either category.

Zoom-meeting video recordings saved on Zoom's cloud servers can be easily discovered and often viewed, a security researcher told Cnet.

Phil Guimond noticed that online recordings of Zoom meetings have a predictable URL structure and are thus easy to find. (The Washington Post reported last week on a similar issue with Zoom recordings that had been uploaded by users to third-party cloud servers. In those cases, the file names of meeting recordings followed a predictable pattern.)

Until Zoom pushed out a series of updates this past Tuesday, Zoom meeting recordings were not required to be password-protected.

Guimond built a simple tool that automatically searches for Zoom meeting recordings and tries to open them.

If a meeting has a password, his tool tries to brute-force access by running through millions of possible passwords. If a meeting recording is viewable, so is the Zoom meeting ID, and the attacker might be able to access future recurring meetings.

To defeat Guimond's automated tool, Zoom added a Captcha challenge, which forces the would-be meeting-recording watcher to prove they're a human. But, Guimond said, the URL pattern is still the same, and attackers could still try to open each generated result manually.

STATUS: Mitigated with additional obstacles against attack, but not really fixed.

Zoom announced it was hiring Luta Security, a consulting firm headed by Katie Moussouris, to revamp Zoom's "bug bounty" program, which pays hackers to find software flaws.

Moussouris set up the first bug-bounty programs at Microsoft and the Pentagon. In her own blog post, she announced that Zoom was bringing in other well-regarded information-security firms and researchers to improve its security.

In its weekly webinar, according to ZDNet, Zoom also said it would also let meeting hosts report abusive users, and newly hired security consultant Alex Stamos said Zoom would be switching to a more robust encryption standard after Zoom's existing encryption was found to be lacking.

In other news, a congressman has complained that a congressional briefing held over Zoom on April 3 was "zoom-bombed" at least three times.

The head of Standard Chartered, a London-based multinational bank, has warned employees to nut use Zoom or Google Hangouts for remote meetings, citing security concerns, according to Reuters.

Standard Chartered primarily uses the rival Blue Jeans video-conferencing platform, according to two bank staffers who spoke anonymously.

Last year, Standard Chartered agreed to pay British and American regulators $1.1 billion after admitting the bank violated trade sanctions on Iran.

Hackers are apparently offering to sell two "zero-day" exploits in Zoom to the highest bidder, Vice reports.

Zero-days are hacks that take advantage of vulnerabilities the software maker doesn't know about, and which users have little or no defense against.

Sources who told Vice about the zero-days said one exploit is for Windows and lets a remote attacker get full control of a target's computer. The catch is that the attacker and the target have to be on the same Zoom call. Its asking price is $500,000.

"I think it's just kids who hope to make a bang," one unnamed source told Vice.

The other zero-day is said to be for macOS and to be less serious.

STATUS: Apparently unfixed.

Zoom announced April 13 that users of paid Zoom accounts would be able to choose through which region of the world their data would be routed: Australia, Canada, China, Europe, India, Japan/Hong Kong, Latin America or the United States.

This is a reaction to the discovery earlier in April that many Zoom meetings hosted by and involving U.S. residents had been routed through servers based in China, a country that retains the right to see anything happening on a domestically located server without a warrant.

Users of Zoom's free service will have their data handled only by servers in their regions.

Usernames and passwords for more than 500,000 Zoom accounts are being sold or given away in criminal marketplaces.

These accounts were not compromised as the result of a Zoom data breach, but instead through credential stuffing. That's when criminals try to unlock accounts by re-using credentials from accounts compromised in previous data breaches. It works only if an account holder uses the same password for more than one account.

STATUS: Unknown, but this isn't Zoom's fault.

A Kurdish security researcher said Zoom had paid him a bug bounty -- a reward for finding a serious flaw -- after he discovered and privately reported a way for anyone to easily hijack any existing Zoom account if the account email address was known or successfully guessed.

The researcher, who calls himself "s3c" but whose real name may be Yusuf Abdulla, described how if he tried to log into the Zoom website with a Facebook account, Zoom would ask for the email address associated with that Facebook account. Then Zoom would open a new webpage notifying him that a confirmation email message had been sent to that email address.

The URL of the notification webpage would have a unique identification tag in the address bar. As an example that's much shorter than the real thing, let's say it's "zoom.com/signup/123456XYZ".

When s3c received and opened the confirmation email message sent by Zoom, he clicked on the confirmation button in the body of the message. This took him to yet another webpage that confirmed his email address was now associated with a new account. So far, so good.

But then s3c noticed that the unique identification tag in the Zoom confirmation webpage's URL was identical to the first ID tag. Let's use the example "zoom.com/confirmation/123456XYZ".

The matching ID tags, one used before confirmation and the other after confirmation, meant that s3c could have avoided receiving the confirmation email, and clicking on the confirmation button, altogether.

In fact, he could have entered ANY email address -- yours, mine or billgates@gmail.com -- into the original signup form. Then he could have copied the ID tag from the resulting Zoom notification page and pasted the ID tag into an already existing Zoom account-confirmation page.

Boom, he'd have access to any Zoom account created using the targeted email address.

"Even if you already linked your account with a Facebook account Zoom automatically unlink it and link it with the attacker Facebook account," s3c wrote in his imperfect English.

And because Zoom lets anyone using a company email address view all other users signed up with the same email domain, e.g. "company.com", s3c could have leveraged this method to steal ALL of a given company's Zoom accounts.

"So if an attacker create an account with email address attacker@companyname.com and verify it with this bug," s3c wrote, "the attacker can view all emails that created with *@companyname.com in Zoom app in Company contacts so that means the attacker can hack all accounts of the company."

Zoom is fortunate that s3c is one of the good guys and didn't disclose this flaw publicly before Zoom could fix it. But it's such a simple flaw that it's hard to imagine no one else noticed it before.

STATUS: Fixed, thank God.

Researchers from IngSights discovered a set of 2,300 Zoom login credentials being shared in a criminal online forum.

"Aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others," IntSight's Etay Maor wrote in a blog post April 10.

"While some of the accounts 'only' included an email and password, others included meeting IDs, names and host keys," Maor wrote.

Maor told Threatpost it didn't seem like the credentials came from a Zoom data breach, given their relatively small number. He theorized that they came from "small lists and databases kept by other companies/agencies."

It's also possible that some of the credentials were the result of "credential stuffing." That's the (largely) automated process by which criminals try to log into websites by cycling through likely email addresses and likely passwords, and then harvest whatever yields a positive result.

STATUS: Unknown. This likely isn't a Zoom issue per se.

In an "ask me anything" webinar earlier this week, Zoom CEO Eric S. Yuan said that Zoom had discovered "a potential security vulnerability with file sharing, so we disabled that feature."

Until this week, participants in a Zoom meeting could share files with each other using the meeting's chat function.

STATUS: Fixed.

Zoom has released updates for its Windows, macOS and Linux desktop client software so that meeting IDs will not display onscreen during meetings. British Prime Minister Boris Johnson last week accidentally displayed a Zoom meeting ID in a tweet, and the Belgian cabinet made a similar mistake.

BuzzFeed News reported that Google had banned Zoom from company-owned laptops, the Financial Times reported that the U.S. Senate had advised members and staffers to avoid Zoom, and the German newspaper Handelsblatt said that country's foreign ministry had also asked its staff to stop using Zoom.

However, it's worth keeping in mind that Google has its own videoconferencing application built into its G Suite software for enterprises.

Taiwan's government has banned the use of Zoom for government meetings and for school use, citing "security or privacy concerns." The memo announcing the government ban did not get more specific about the reasons, but last weekend it emerged that some Zoom meetings were being routed through mainland Chinese servers.

Information-security researchers know of several Zoom "zero-day" exploits, according to Vice, which couldn't get anyone to go on the record for its story. Zero-days are exploits for software vulnerabilities that the software maker doesn't know about and hasn't fixed, and hence has "zero days" to prepare before the exploits appear.

However, one Vice source implied that other video-conferencing solutions also had security flaws. Another source said that Zoom zero-days weren't selling for much money due to lack of demand.

Along those lines, Kaspersky researchers said they had found more than 500 suspicious files that pretended to be Zoom-related. Not all the files were malicious, and those that were installed adware, not full-on malware.

Other phony files mimicked WebEx, GoToMeeting and Slack, but by far the biggest target among video-conferencing platforms was Skype. The researchers found 120,000 suspicious files with Skype attributes.

Criminals are trading compromised Zoom accounts on the "dark web," Yahoo News reported.

This information apparently came from Israeli cybersecurity firm Sixgill (not to be confused with an American firm of the same name), which specializes in monitoring underground online-criminal activity. We weren't able to find any mention of the findings on the Sixgill website.

Sixgill told Yahoo it had spotted 352 compromised Zoom accounts that included meeting IDs, email addresses, passwords and host keys. Some of the accounts belonged to schools, and one each to a small business and a large healthcare provider, but most were personal.

STATUS: Not really a bug, but definitely worth worrying about. If you have a Zoom account, make sure its password isn't the same as the password for any other account you have.

Researchers at Trend Micro discovered a version of the Zoom installer that has been bundled with cryptocurrency-mining malware, i.e. a coin-miner.

The Zoom installer will put Zoom version 4.4.0.0 on your Windows PC, but it comes with a coin-miner that Trend Micro has given the catchy name Trojan.Win32.MOOZ.THCCABO. (By the way, the latest Zoom client software for Windows is up to version 4.6.9, and you should get it only from here.)

The coin-miner will ramp up your PC's central processor unit, and its graphics card if there is one, to solve mathematical problems in order to generate new units of cryptocurrency. You'll notice this if you fans suddenly speed up or if Windows Task Manager (hit Ctrl + Shift + Esc) shows unexpectedly heavy CPU/GPU use.

To avoid getting hit with this malware, make sure you're running one of the best antivirus programs, and don't click on any links in emails, social media posts or pop-up messages that promise to install Zoom on your machine.

STATUS: Open, but this isn't Zoom's problem to fix. It can't stop other people from copying and redistributing its installation software.

Not only does Zoom mislead users about its "end-to-end encryption" (see further down), but its seems to be flat-out, um, not telling the truth about the quality of its encryption algorithm.

Zoom says it use AES-256 encryption to encode video and audio data traveling between Zoom servers and Zoom clients (i.e., you and me). But researchers at the Citizen Lab at the University of Toronto, in a report posted April 3, found that Zoom actually uses the somewhat weaker AES-128 algorithm.

Even worse, Zoom uses an in-house implementation of encryption algorithm that preserves patterns from the original file. It's as if someone drew a red circle on a gray wall, and then a censor painted over the red circle with a while circle. You're not seeing the original message, but the shape is still there.

"We discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality," the Citizen Lab report says, such as "governments worried about espionage, businesses concerned about cybercrime and industrial espionage, healthcare providers handling sensitive patient information" and "activists, lawyers, and journalists working on sensitive topics."

STATUS: Unresolved. In a blog post April 3, Zoom CEO Eric S. Yuan acknowledged the encryption issue but said only that "we recognize that we can do better with our encryption design" and "we expect to have more to share on this front in the coming days."

Good software has built-in anti-tampering mechanisms to make sure that applications don't run code that's been altered by a third party.

Zoom has such anti-tampering mechanisms in place, which is good. But those anti-tampering mechanisms themselves are not protected from tampering, said a British computer student who calls himself "Lloyd" in a blog post April 3.

Needless to say, that's bad. Lloyd showed how Zoom's anti-tampering mechanism can easily be disabled, or even replaced with a malicious version that hijacks the application.

If you're reading this with a working knowledge of how Windows software works, this is a pretty damning passage: "This DLL can be trivially unloaded, rendering the anti-tampering mechanism null and void. The DLL is not pinned, meaning an attacker from a 3rd party process could simply inject a remote thread."

In other words, malware already present on a computer could use Zoom's own anti-tampering mechanism to tamper with Zoom. Criminals could also create fully working versions of Zoom that have been altered to perform malicious acts.

STATUS: Unresolved.

Anyone can "bomb" a public Zoom meeting if they know the meeting number, and then use the file-share photo to post shocking images, or make annoying sounds in the audio. The FBI even warned about it a few days ago.

The host of the Zoom meeting can mute or even kick out troublemakers, but they can come right back with new user IDs. The best way to avoid Zoom bombing is to not share Zoom meeting numbers with anyone but the intended participants. You can also require participants to use a password to log into the meeting.

On April 3, the U.S. Attorney's Office for the Eastern District of Michigan said that "anyone who hacks into a teleconference can be charged with state or federal crimes." It's not clear whether that applies only to eastern Michigan.

STATUS: There are easy ways to avoid Zoom bombing, which we go through here.

Excerpt from:
Zoom privacy and security issues: Here's everything that's wrong (so far) - Tom's Guide