Zoom,the teleconferencing and video chat software
that has seen huge levels of adoption worldwide
since the start of the COVID pandemic.
But now the app is being banned left and right.
Everyone from companies like Google and SpaceX,
to agencies like NASA and the Australian military
to the entire government of Taiwan
has forbidden their people from using Zoom.
Well there have been a number
of well-publicized security problems with
Well, Zoom has actually
had security issues for a while,
but many of them are just now coming to light
due to its recent burst in popularity.
Security issues of zoom
There was a wide spread security flaw on Mac systems
where Zoom’s installer would effectively
turn your computer into a server without telling you
which made it much easier for a stranger
to add themselves to your conference
and look through your webcam with just one click.
The feature was put in place to make it easier
to jump into meetings without additional clicks
because the web server feature accepted connections
that normal browsers wouldn’t.
Apple ended up issuing a Mac OS patch
to fix the problem, but since then,
a number of other issues have been discovered.
One was a relatively easy way to bypass email confirmation
and gain access to any account
where the email address was known
simply by using the same ID tag
In the sign up page’s URL to access the confirmation page
without ever having actually had access
to the email account.
A simple attack like this could actually allow an outsider
to access all accounts associated with a domain
if the compromised account is from a company rather than an individual.
Zoom’s encryption is still rather weak.
In early April of 2020, researchers discovered
that the encryption Zoom used at the time
was actually AES-128, not the advertised AES-256,
which is much more secure.
Attackers have had success rapidly trying random ID’s
until they found some that were active,
making it simple for them to break into meetings
and sometimes transmit disruptive
or offensive audio and video,
Zoom has been routing lots of traffic through servers in China, and unlike other countries
which have strong privacy protections for user data,
China’s government doesn’t need a warrant
to see what’s happening on servers
located inside the country at any given time,
raising fears from the privacy conscious.
Zoom’s installer has been a favorite target of hackers
who are modifying it with malware
and then releasing it back out into the wild.
And because so many people are quickly
downloading and signing up for Zoom
using existing email and password combos
involved in previous data breaches,
it hasn’t been tough for attackers to steal accounts.
Over half a million credentials
are up for sale on the dark web
If you don’t have Zoom yet and you need to install it,
make sure that you’re only installing it
from Zoom’s official website,
not from some other source
that could be giving you a compromised installer.
Fixing the issues
Zoom is attempting to fix some of these issues,
and they won’t be rolling out any new features
for the next couple of months
so that their developers can focus
on security and privacy patches.