How much can we trust Zoom App Security? Following the growth of lockdown and quarantine through the world due to the Coronavirus outbreak, online conference call apps have become more popular among people.
Zoom has found booming popularity and is now being used by millions of people for work and leisure, as lockdowns are imposed in many countries.
The Silicon Valley group has been thrust into the spotlight during the coronavirus pandemic, as millions confined to their homes under national lockdowns have turned to its video-call technology to host work meetings and socialize.
Although the company has faced some cybersecurity and privacy-related missteps recently, attracting attention from the New York state attorney-general. Its business operations in China have additionally started to generate wariness among security experts.
However, now, its data security and privacy measures have been challenged.
New York Attorney General Letitia James asked Zoom issued a letter whether it had interpreted the app security measures following its popularity grew. It also mentioned, in the past, the app had been slow to discuss problems.
A company spokesperson stated: “Zoom takes its users’ privacy, security, and trust extremely seriously.”
“During the COVID-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other businesses across the world can stay connected and operational. We appreciate the New York Attorney General’s engagement on these issues and are happy to provide her with the requested information,” it continued.
The Zoom is now facing a huge privacy and security reverberation as security specialists, privacy advocates, lawmakers, and even the FBI warn that Zoom’s default settings aren’t secure enough to be used by this number of users. Zoom now risks becoming a victim of its success.
Though, since at least mid-March, users signed up Zoom using their email addresses, and Zoom grouped them with thousands of others as if they all worked for the same company.
Twitter users have stated that the app displays users’ personal information to others on the app as if users are all working for the same company.
Subsequently, Motherboard heightened concerns about the Zoom app, a company spokesperson said the company maintained a “blacklist” of domains and “regularly proactively identifies” domains to be supplemented, appending that it had since blacklisted the specific domains highlighted by Motherboard.
Letitia James’ office letter:
“[Our office] is concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”
“While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices,” the letter holds.
Zoombombing app was the first of many recent Zoom security and privacy concerns, though. Zoom was required to update its iOS app last week to remove code that sent device data to Facebook.
Users have flocked to Zoom as authorities around the world commanded large parts of their communities to stay at home to slow the spread of the Coronavirus. It is now ranked as the number two and number one app in the UK and US, respectively.
Zoom has had security flaws in the past. This is to be included a vulnerability that allowed an attacker to remove attendees from their meetings as they can attend others’ meetings. It’s said that spoof messages from users and hijacks shared screens. Another saw Mac users forced into calls without their knowledge.
It also doesn’t offer end-to-end encryption, according to online news publication The Intercept. This is encryption that should mean no-one other than associates can attend a meeting.
Zoom said: “Currently, it is not possible to enable E2E encryption for Zoom video meetings.”
Therefore, this indicates that Zoom can access the video and audio of meetings, it published.
Some vulnerabilities discovered in popular video teleconferencing app Zoom could give access to attackers to increase opportunities on a computer. This allows access to users’ webcams and microphones, according to new research from Jamf Principal Security Researcher Patrick Wardle.
“However if you value either your (cyber) security or privacy, you … should avoid using the macOS version of the app, as neither of these essential values seems to be part of their ethos,” Wardle writes.
The first vulnerability, which adds up to the Zoom app security problems possible for attackers or malware to escalate their privileges to complete control of the machine, derives in part from the use of an unsafe API.
According to this mechanism, attackers have that extent of access that they can record Zoom meetings or reach the microphone or camera. It happens whenever they want if they load the right kind of malicious library, without users ever knowing, according to Wardle.
“Apple clearly notes that the ‘AuthorizationExecuteWithPrivileges’ API is deprecated and should not be used. Why? Because the API does not validate the binary that will be executed (as root!) …meaning a local unprivileged attacker or piece of malware may be able to surreptitiously tamper or replace that item in order to escalate their privileges to root (as well),” Wardle addresses.
“Unfortunately, Zoom has (for reasons unbeknown to me), a specific ‘exclusion’ that allows malicious code to be injected into its process space, where said code can piggy-back off Zoom’s (mic and camera) access,” Wardle continued.
“Once our malicious library is loaded in Zoom’s process/address space, the library will automatically inherit any/all of Zooms access rights/permissions,” Wardle writes.