Zoom is a video call/conference software that has become very popular of late. The prime minister has been seen using it, my family have asked to use it, colleagues want to use it; however, I will not, and I encourage you not to as well.
All software developers have a responsibility to protect their users' data, audio, and video leaking from systems they have designed. They also have a responsibility to ensure that the systems that they run on are not open to being attacked or compromised. Zoom have repeatedly shown that they do not care about doing this. I do not really understand why though, other than the privacy/security issues, they have usable and popular software. They could be very, very successful in the long term. I suspect, but have no evidence, that management team or product owners are not listening to the development team; or possibly, the development team is incompetent. Either way, something is very wrong at Zoom.
Here are a few examples of their behaviour:
- Last summer - a security researcher pointed out that malicious websites could activate the user's webcam without the user's permission. Zoom would not agree that this was a security issue, instead claiming it was required to improve usability. Essentially, saying that usability is more important than security. Eventually, Apple had to step in an fix the vulnerability themselves.
- After pointing out the above issue, the security researcher had to decline the bug bounty payout because they wanted him to sign an NDA.
- This month - a security researcher has disclosed that Macs are vulnerable to webcam and mic takeover again.
- Zoom has been sending users activity to Facebook without their knowledge, whether they have a Facebook account, or not. This feature/bug has now been removed, but not before the New York AG has started an investigation.
- When installing Zoom on a Mac Zoom circumvents the standard installation process to install their software. I believe that this is a flaw in the Apple installation system, and not really Zoom's responsibility; however, they choose to bypass it when they do not need to. Apple does need to take a look at this, they should be able to prevent Zoom from doing this.
- If you Windows users thought that only Macs were vulnerable to Zooms half-arsed approach to security, then you should be aware that the Zoom Windows client is vulnerable to UNC path injection.
I would love to go into the many issues with Zoom in more detail, but since I do not have time today, I think I'll leave you a list of other articles I have been reading on Zoom.
These are in no particular order …
- Jonathan Leitschuh - Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
- John Gruber - Regarding Zoom
- BBC News - Zoom is in everyone's living room - how safe is it?
- Engadget - There's another macOS update to fix Zoom security exploits
- Wired - Zoom Will Fix the Flaw That Let Hackers Hijack Webcams
- Doc Searls - Zoom needs to clean up its privacy act
- Business Insider - 'Alcohol is soooo good': Trolls are breaking into AA meetings held on Zoom video calls and harassing recovering alcoholics
- twitter.com/DanAmodio - zoomAutenticationTool will run whatever script you give it
- Hacker News - Zoom truncates passwords to 32 chars
- 9to5mac.com - Ex-NSA hacker finds new Zoom flaws to takeover Macs again, including webcam, mic, and root access
- objective-see.com - The 'S' in Zoom, Stands for Security
- theintercept.com - Zoom meetings aren’t end-to-end encrypted, despite misleading marketing
- An example of Boris Johnson using Zoom with the cabinet
- twitter.com/c1truz_ - Hacky installation scripts