Zoom vulnerabilities are software flaws that reduce data privacy. The manufacturer claims that confidential information is reliably protected, including using 256-bit TSL encryption. But with the growing popularity of the program, more and more problems with the security of the Zoom application are opening. Let’s consider them in more detail.
Leaking Facebook information
In March 2020, it was reported that information about Zoom users on iPhones was being transferred to Facebook. This is not even a vulnerability, but a deliberate action by the developers concerning all owners of such devices, including those who do not have an account on social networks.
The Zoom administration shares data about the time zone, smartphone model, operator, advertising ID, etc. Zoom merges data from Facebook, which can then be used for targeted advertisements. After the promotion of the scandal, the developers announced the removal of this code, but they had already been sued.
Bad video encryption
Another security issue with the Zoom app also surfaced in March. In particular, there was information about the absence in the program of end-to-end encryption E2E, which is considered the most reliable on the Web. The official resource of the program indicates the use of the tool, but in practice only TSL encryption is used. Its disadvantage is that information is not encrypted between users, but between the client and the server. As a result, the company has access to audio and video, which allows it to “spy”.
In turn, the developers of Zoom stated that the lack of end-to-end encryption only affects video and audio. At the same time, customer chats are protected as much as possible, and the company does not have keys to decrypt them.
Rumors of vulnerabilities for Windows and MacOS
Again, in March, information about security problems appeared – two vulnerabilities that allow spying on users (for Windows and Mac OS). At the same time, the seller asked for the transfer of information $ 500,000. Over time, Zoom said that such information was not confirmed.
Injecting UNC into chat
Another vulnerability has been discovered in the Zoom client that allows injecting UNC paths into the chat option to steal client credentials. The capabilities of the program allow people to communicate, send messages and other data. When you use conference chat, all URLs are converted into hyperlinks, allowing other participants to click on them and go to the web page.
The vulnerability is that Zoom converts Windows UNC paths into clickable links in chat messages. After clicking on the UNC link, Windows makes an attempt to connect to the resource using the SMB protocol to open a remote file. At the same time, Windows sends an NTML hash of the login and password, which can be easily cracked using publicly available programs on the Internet, for example, Hashcat. Due to this Zoom vulnerability, the user’s password could be compromised.
In addition to identity theft, UNC injection allows attackers to use the path of the disk OS device to launch a program without prompting customers. Zoom’s developers acknowledge this vulnerability and promise to fix it shortly.
In addition to the vulnerabilities discussed above, there are a number of other weaknesses in the program. Here are the main ones:
- The ability to select identifierswith subsequent gaining access to the conference. Recent versions have fixed this issue by replacing the code with a more robust version.
- Demonstration of pornography on air during the broadcast. At the same time, it is extremely difficult to identify an intruder when a large number of people participate in a conference.
- Falling of confidential information into third hands. Another vulnerability of Zoom is a possible leak of user data. We are talking about photos, names, mailboxes, etc.
- Store codes in China. The encryption keys used are sometimes sent to servers in the PRC, which could theoretically lead to pressure from the country’s authorities.
- The video is not completely deleted. Attackers can launch a search and then download and watch someone else’s video within two to three hours after deletion.
- Selling accounts. More than half a million Zoom profiles are available on the Darknet. Earlier this year, hackers sold account logins and passwords, meeting IDs and passwords. However, as the check later showed, many of them are already outdated and have lost their relevance. For security reasons, we do not recommend using the same password for multiple conferences.
There are other problems, for example, booting on MacOS without user intervention, communication through an intermediary, and others.
In conclusion, we note that many Zoom vulnerabilities have already been fixed, but the developers still have something to work on. If users are not satisfied with this situation, you can find an alternative, for example, Discord, Skype or other programs, but do not forget that vulnerabilities are everywhere.