Vulnerability Researchers Focus on Zoom App's Security
With videoconferencing's rise as an essential tool for remote work comes a downside: more security scrutiny, which has turned up a number of security weaknesses.
April 2, 2020
Working from home has become the new normal for many technology and knowledge workers, and along with the move to remote work, videoconferencing services — such as Zoom — have become a key technology linking people together.
Yet with popularity comes scrutiny.
Over the past month, researchers have begun turning up security and privacy flaws in the application, which has had success as a brand during the pandemic. In late March, for example, one red-team member found that Zoom would display universal naming convention (UNC) paths as links, which, if clicked, would send a username and password hash to an attacker-controlled system. In another report posted online, a researcher found two vulnerabilities in the Zoom client for MacOS.
Because so many workers continue to work remotely, Zoom and other videoconferencing applications will be examined more closely for security flaws, says Brian Gorenc, director of vulnerability research and head of cybersecurity firm Trend Micro's ZDI program.
"We're in an unprecedented time with regard to the amount of people working remotely," he says. "All of the products that enable this – VPNs, video chat, 2FA [and others] – will receive increased scrutiny from researchers and attackers alike."
Zoom, in particular, has had a rough few weeks. Attackers have started registering domains that appear related to the company, with more than 1,700 Zoom-themed domains registers globally. On March 30, the FBI office in Boston warned videoconferencing platforms and schools that the law enforcement agency had received reports that conference calls were being "Zoom-bombed" by pornographic and hate images during school lectures.
Finally, critics have accused Zoom of being too expansive with its use of the term "end-to-end encryption."
The company has likely not see the end of the security and privacy scrutiny, says Carl Livitt, principal researcher at penetration-testing firm Bishop Fox.
"We are starting to see the first drips of the bugs right now," he says. "But researchers often, when they find one bug, see something else super interesting and make a note of it. I would not be surprised in the slightest if more bugs fall out because of this attention."
The sudden popularity of Zoom has added to the scrutiny. Zoom's business has expanded from about 10 million meeting participants per day in December 2019 to more than 200 million meeting participants per day in March. The surge, which includes more than 90,000 schools in 20 countries, has made reliability the top issue for the company, the firm said in a statement on April 1. And now that security is getting more attention, the company has pledged to fix issues quickly.
"[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," the company said. "Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users."
At least three issues have been publicized in the last month. One penetration tester found that a Zoom chat could be used to post links in the universal naming convention (UNC) format, which could be used to capture a username and password hash if a user clicked on a link that connected to a server message block (SMB) server.
A second cybersecurity specialist showed a screenshot of a proof-of-concept of the attack. "Here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks," wrote @hackerfantastic on Twitter.
Zoom acknowledged the issue. "At Zoom, ensuring the privacy and security of our users and their data is paramount," the company said in a statement sent to Dark Reading. "We are aware of the UNC issue and are working to address it."
Yet another researcher publicized two other issues with Zoom on the MacOS operating system — a privilege escalation attack and code injection attack. Both vulnerabilities are a result of Zoom circumventing a specific security function of the MacOS.
Felix Seele, the technical lead at static and behavioral analysis firm VMRay, criticized the company's Mac OS installer for the way it circumvents user input during installation in the name of — what Zoom says — is the desire for a good user experience.
"This is not strictly malicious but very shady and definitely leaves a bitter aftertaste," Seele wrote on Twitter. "The application is installed without the user giving his final consent, and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware."
The company's CEO replied to Seele's criticism of the circumvention on Twitter.
"We implemented [this] to balance the number of clicks given the limitations of the standard technology," Eric S. Yuan, founder and CEO of Zoom, wrote on Twitter. "To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others. Your point is well taken and we will continue to improve."
Bishop Fox's Livitt points out that other platforms have had to deal with security scrutiny over the years. When Cisco bought WebEx, that videoconferencing platform had to weather a spate of bug reports as well.
Yet Zoom's decision to work around platform security for an arguably smoother user experience suggests the company, or its developers, may not support mature security processes, Livitt says.
"In the end, the platform provided these security controls and they deliberately turned them off, and no one really knows why," he says. "If there are security flags being disabled by developers, then that means their software development life cycle is not as mature as it should be."
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."
About the Author
You May Also Like