Home / NewTech / Zoom: Any security issue discovered in the video chat app

Zoom: Any security issue discovered in the video chat app


Sarah Tew / CNET

When the coronavirus pandemic last month forced millions of people to stay at home Zoom suddenly became the preferred video meeting service: daily meeting attendees at the The platform rose from 1

0 million in December to 200 million in March .

This popularity was associated with Zoom's privacy risks, which quickly expanded to a large number of people. From built-in attention tracking features to the latest improvements in zoom bombing (where uninvited attendees break into and interfere with hateful or pornographic content), Zoom's security practices – along with at least three legal disputes – have attracted more attention to the company .

Here is everything we know about the zoom security saga and when it happened. If you're not familiar with the security issues of Zoom you can start from the bottom and work your way up to the latest information. We will continue to update this story as more issues and corrections become apparent.

Read more : Do you use zoom for work? Here are the privacy risks to watch out for

8. April

Fourth lawsuit

In a lawsuit filed on Tuesday with the Federal Supreme Court, Zoom shareholder Michael Drieu accused the company of "insufficient data protection and security measures" and falsely alleged that the service was encrypted consistently. Drieu also said that media reports and public announcements by the company about security issues have caused Zoom's share price to drop .

Bug Bounty Hunters Appear

Hackers around the world began to look into bug bounty hunting, looking for potential weaknesses in zoom technology that should be sold to the highest bidder. A motherboard report reported an increase in bounty payout for vulnerabilities known as zero-day exploits. A source estimates that hackers sell the exploits for $ 5,000 to $ 30,000.

New Security Advisor and Councilor

Zoom hired former Facebook and Yahoo security officer Alex Stamos on board after defending the company on Twitter . As reported by CNET's sister website ZDNet, Stamos said he joined the company as a security adviser last week after a phone call to Zoom's founder and CEO, Eric Yuan, and will work with Zoom's engineering team.

In a statement, Zoom announced the formation of a Chief Information and Security Officer Council and an Advisory Board. The board's goal will be to conduct a full security review of the company's technology, and Yuan said, "A subset of CISOs that will personally assist me as a consultant."

Classroom Security

In an email, a zoom spokesman told CNET that the company is still pushing for more user training on existing security features, and explained its move to use the product safely in the classroom.

"We have recently changed the default settings for educational users registered in our K-12 program to enable virtual waiting rooms and ensure that only teachers can share content in class," said the spokesman.

"Starting April 5, we’ll default to enabling passwords and virtual waiting rooms for our Free Basic and Single Pro users. We’ll continue to proactively train users on how to protect their meetings from unwanted intruders, including through our offer of Training, tutorials and webinars to help users understand their own account functions and get the most out of the platform. "

Read More : Zoombombing: What It Is and How To Use It in the Zoom Video -Chat can prevent

usability versus security

In an interview with NPR, Yuan said the balance between security and usability had shifted for him.

"When it comes to a conflict between usability and privacy and security, privacy and security [are] are more important – even at the expense of multiple clicks," he said. "We will transform our business into a mentality that puts data protection and security first."

Hidden IDs

The company released a security update software update that removes the meeting ID from the title bar when meetings take place. As reported by Bleeping Computer, the move is said to slow down attackers who are distributing screenshots of meeting IDs on the open Internet.

Weekly Webinars

Yuan held the first weekly Webinars promised by Zooms to be available on the company's YouTube channel, "Surpassing the rise in users working from home due to the COVID-19 pandemic." by far everything we expected ".

yuan said that before the increase, the daily peak consumption of the product was around 10 million users, but now to more than 200 million. Yuan also explained the company's mistakes during the increase: Zoom's user-related security features are not friendly enough for the average user, and business-oriented tools such as the attention tracking feature are not useful for the average privacy-conscious consumer.

Yuan also refused to sell customer data and recommended that users use the security features of the software as often as possible. He also said the company is working to ensure that Zoom's webinar tool has improvements in the waiting room that allow organizers to approve users before they can attend a meeting, but he has no schedule for completion. Another security feature that's underway for the next 45 days is an improvement in the encryption standard and a renewed focus on protecting health-related data, he said.

AI Zoombomb

Zoombombing took a surreal turn when a Samsung engineer zoombombed a colleague with an AI-generated version of Elon Musk.

6. April

Some school districts prohibit Zoom

School districts prohibited teachers from using Zoom for distance learning amid the coronavirus outbreak, citing security and privacy issues related to the video conferencing app. The New York Department of Education urged schools to switch to Microsoft Teams "as soon as possible," Chalkbeat reported.

Zoom Accounts on the Dark Internet

Cyber ​​security company Sixgill announced that it had discovered an actor. A link to a collection of 352 compromised zoom accounts was posted in a popular dark web forum. Sixgill informed Yahoo Finance that these links included email addresses, passwords, meeting IDs, host keys and names, and the type of zoom account. Most were personal, but not all.

"One belonged to a large US healthcare provider, seven other educational institutions, and one to a small company," Sixgill told Yahoo Finance.

Read more : Zoombombing: What it is and how you can prevent it

Zoom is trying to expand its lobbying presence in Washington.

Zoom's response to security concerns turned to Washington, DC. The company told Politico it wanted to expand its lobbying presence in Washington and had hired Bruce Mehlman, a former Deputy Secretary of Commerce for Technology under President George W. Bush.

Pushing for FTC investigation

In an open letter, the Electronic Privacy Information Center asked the Federal Trade Commission to investigate Zoom and issue privacy policies for video conferencing platforms.

Sen. Richard Blumenthal, a Connecticut Democrat who has recently been recognized as a pioneer in laws that critics claim could cripple modern encryption standards, asked the FTC to examine Zoom about what he called "patterns of security deficiencies and security Privacy violations ".

Third class class action lawsuit

A third class class action lawsuit was filed against Zoom in California, citing the researchers' three key security concerns: Facebook data exchange, which is admittedly incomplete end-to-end encryption by the company , and the vulnerability through which malicious actors can access users' webcams.

Read more: 10 free alternative zoom apps for video chatting

5. April

Calls incorrectly routed through Chinese whitelist servers

In a statement, Zoom admitted that some video calls were "mistakenly" routed through two Chinese whitelist servers if they shouldn't have been. Certain meetings were allowed to "connect to systems in China that they shouldn't have connected to," it said.

4. April

Another apology from Zoom

"I really screwed up as CEO and we need to regain their trust. That shouldn't have happened," said Eric Yuan, CEO of Zoom, told the Wall Street diary in a long interview.

Yuan examined the damage to the company's reputation and described how Zoom pushed for expansion to take account of changes in the workforce in the early stages of the COVID-19 outbreak in China.

3. April

Zoom video call recordings visible on the Internet

A Washington Post investigation found that thousands of zoom video call recordings were unprotected and visible on the open web. A large number of unprotected calls included discussing personally identifiable information, such as private therapy sessions, telemedicine training calls, small business meetings where financial reports were discussed by private companies, and primary school classes with student information exposed, the newspaper said.

Attackers planning "Zoomraids"

Reports from CNET and the New York Times showed that social media platforms, including Twitter and Instagram, were used by anonymous attackers as spaces for Organization of "Zoomraids" were used – – the term for coordinated mass zoom bombs, in which intruders harass and abuse private meeting participants. The abuse reported during Zoomraid included the use of racist, anti-Semitic, and pornographic images, as well as verbal harassment.

Zoom apologizes again.

Zoom admitted that its custom encryption was inferior after a Citizen Lab report found the company developed its own encryption scheme and used a less secure AES-128 key instead of the previously claimed AES-256 encryption. In a direct response, Yuan said publicly, "We recognize that we can do better with our encryption design."

Lawsuit filed for second class action

Tycko and Zavareei LLP filed a class action lawsuit against Zoom – the second lawsuit against the company – for the exchange of personal data of users with Facebook.

Congress is asking for information.

California Democratic MP Jerry McNerney and 18 of his Democratic colleagues from the House Committee on Energy and Commerce sent a letter to Yuan Raising concerns and questions regarding the company's privacy practices. A response from Zoom was requested in the letter by April 10.

Currently playing:
Note the following:

Zoom responds to privacy concerns


2. April

Automated tool can find zoom meetings

Security researchers have found that an automated tool could find around 100 zoom meeting IDs in one hour and gather information for nearly 2,400 zoom meetings in a single scan day. as reported by security expert Brian Krebs.

The reviews that were found were those that were not password-protected , but the tool reported that The Verge successfully generated meeting IDs in up to 14% of cases.

Additional plans for zoom bombing

The motherboard, meanwhile, found that users of the 8chan forum had planned to kidnap zoom calls from a Jewish school in Philadelphia in an anti-Semitic zoom bombing campaign.

Data mining feature discovered [19659010] The New York Times reported that some participants were able to secretly access LinkedIn profile data about other users through a data mining feature on Zoom.

1. April

SpaceX prohibits Zoom

Elon Musk's SpaceX The missile company prohibited employees from using Zoom citing "significant privacy and security concerns" as reported by Reuters .

Other security holes discovered

The message from the motherboard again revealed a harmful security hole in Zoom. The application found that users' email addresses and photos were shared with strangers through a feature that was loosely designed as a corporate directory.

Yuan's Excuses

Yuan publicly apologized in a blog post and promised to improve security. This included activation of waiting rooms and password protection for all calls. Yuan also said the company would freeze feature updates to address security issues over the next 90 days.

30. March

The Intercept investigation: Zoom does not use the promised end-to-end encryption.

An investigation by The Intercept found that zoom call data was returned to the company without end-to-end promises of encryption in its marketing materials.

"It is currently not possible to enable E2E encryption for zoom video conferencing," a zoom spokesman told The Intercept.

Other bugs discovered

After discovering a Windows-related zoom bug that opened people up to password theft, two other bugs were discovered by a former NSA hacker, one of which malicious actors could allow to control a zoom The user's microphone or webcam. Another of the vulnerabilities allowed Zoom to get root access to MacOS desktops, at best a risky level of access.

Lawsuit against the company filed.

A class action lawsuit was filed against the company Zoom violated the new California Data Protection Act, in which users did not obtain proper consent to transfer their zoom data to Facebook.

New York Attorney General's Letter Sent

New York Attorney General Letitia James' office sent Zoom a letter outlining privacy concerns and asking what steps the company might have taken to protect the security of its users ensure given the increased traffic in its network.

Zoom bombs reported in classroom

The FBI issued a public warning to the public about cases of zoom bombs in the classroom, including an incident in which hackers broke into a class reunion and showed a swastika on students' screens Issue security vulnerabilities of Zoom. The organization recommended that educators protect password-based video calls and lock the security of meetings using the data protection features currently available in the software.

27. March

Zoom removes Facebook data capture functionality

In response to concerns raised by the motherboard investigation, Zoom removed Facebook data capture functionality from its iOS app and apologized in a statement.

"The data collected by the Facebook SDK did not contain any personal user information, but rather data on user devices such as type and version of the mobile operating system, time zone of the device, operating system of the device, device model and network operator, screen size, processor cores and storage space," said Zoom Motherboard.

26. March

Motherboard investigation: Zoom iOS app sends user data to Facebook

Motherboard investigation found that the Zoom iOS app sends user analysis data to Facebook, even for Zoom users who did not have a Facebook account the interaction of the app with Facebook's Graph API.

Play now:
Check it out:

YouTube at work on TikTok rival, Zoom's privacy risks


Source link