Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Vulnerability Researchers Focus on Zoom App's Security

With videoconferencing's rise as an essential tool for remote work comes a downside: more security scrutiny, which has turned up a number of security weaknesses.

Working from home has become the new normal for many technology and knowledge workers, and along with the move to remote work, videoconferencing services — such as Zoom — have become a key technology linking people together.

Yet with popularity comes scrutiny. 

Over the past month, researchers have begun turning up security and privacy flaws in the application, which has had success as a brand during the pandemic. In late March, for example, one red-team member found that Zoom would display universal naming convention (UNC) paths as links, which, if clicked, would send a username and password hash to an attacker-controlled system. In another report posted online, a researcher found two vulnerabilities in the Zoom client for MacOS.

Because so many workers continue to work remotely, Zoom and other videoconferencing applications will be examined more closely for security flaws, says Brian Gorenc, director of vulnerability research and head of cybersecurity firm Trend Micro's ZDI program.

"We're in an unprecedented time with regard to the amount of people working remotely," he says. "All of the products that enable this – VPNs, video chat, 2FA [and others] – will receive increased scrutiny from researchers and attackers alike."

Zoom, in particular, has had a rough few weeks. Attackers have started registering domains that appear related to the company, with more than 1,700 Zoom-themed domains registers globally. On March 30, the FBI office in Boston warned videoconferencing platforms and schools that the law enforcement agency had received reports that conference calls were being "Zoom-bombed" by pornographic and hate images during school lectures.

Finally, critics have accused Zoom of being too expansive with its use of the term "end-to-end encryption."

The company has likely not see the end of the security and privacy scrutiny, says Carl Livitt, principal researcher at penetration-testing firm Bishop Fox.

"We are starting to see the first drips of the bugs right now," he says. "But researchers often, when they find one bug, see something else super interesting and make a note of it. I would not be surprised in the slightest if more bugs fall out because of this attention."

The sudden popularity of Zoom has added to the scrutiny. Zoom's business has expanded from about 10 million meeting participants per day in December 2019 to more than 200 million meeting participants per day in March. The surge, which includes more than 90,000 schools in 20 countries, has made reliability the top issue for the company, the firm said in a statement on April 1. And now that security is getting more attention, the company has pledged to fix issues quickly.
 
"[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," the company said. "Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users."

At least three issues have been publicized in the last month. One penetration tester found that a Zoom chat could be used to post links in the universal naming convention (UNC) format, which could be used to capture a username and password hash if a user clicked on a link that connected to a server message block (SMB) server. 

A second cybersecurity specialist showed a screenshot of a proof-of-concept of the attack. "Here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks," wrote @hackerfantastic on Twitter.

Zoom acknowledged the issue. "At Zoom, ensuring the privacy and security of our users and their data is paramount," the company said in a statement sent to Dark Reading. "We are aware of the UNC issue and are working to address it."

Yet another researcher publicized two other issues with Zoom on the MacOS operating system — a privilege escalation attack and code injection attack. Both vulnerabilities are a result of Zoom circumventing a specific security function of the MacOS

Felix Seele, the technical lead at static and behavioral analysis firm VMRay, criticized the company's Mac OS installer for the way it circumvents user input during installation in the name of — what Zoom says — is the desire for a good user experience. 

"This is not strictly malicious but very shady and definitely leaves a bitter aftertaste," Seele wrote on Twitter. "The application is installed without the user giving his final consent, and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware."

The company's CEO replied to Seele's criticism of the circumvention on Twitter.

"We implemented [this] to balance the number of clicks given the limitations of the standard technology," Eric S. Yuan, founder and CEO of Zoom, wrote on Twitter. "To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others. Your point is well taken and we will continue to improve."

Bishop Fox's Livitt points out that other platforms have had to deal with security scrutiny over the years. When Cisco bought WebEx, that videoconferencing platform had to weather a spate of bug reports as well. 

Yet Zoom's decision to work around platform security for an arguably smoother user experience suggests the company, or its developers, may not support mature security processes, Livitt says.

"In the end, the platform provided these security controls and they deliberately turned them off, and no one really knows why," he says. "If there are security flags being disabled by developers, then that means their software development life cycle is not as mature as it should be."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13890
PUBLISHED: 2020-06-06
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
CVE-2020-13889
PUBLISHED: 2020-06-06
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.