Zoom: Vulnerabilities and Issues Exposed During Covid-19

vigilance Industry Roundups 1 Comment

Zoom became the go-to solution that every other business started using during the Covid-19 outbreak. It became so popular that there was even a meme about its virility.

Viral meme about Zoom’s popularity skyrocketing during the Covid-19 pandemic

Unfortunately, as with all software, and all software that grow popular, many vulnerabilities and other issues of concern have been discovered. These new vulnerabilities were published nearly one after another in the span of the past week.

Let’s take a look at a timeline –

  1. 26th March 2020 – Joe Cox wrote for Motherboard by Vice that Zoom’s iOS app sends data to Facebook without declaring it in its privacy policy.
  2. 30th March 2020 – Felix Seele tweeted and wrote for VMRay that the MacOS installer masks the actual installation under the pre-installation script without informing its users.
  3. 30th March 2020 – Hot on the heels of Felix’s revelations, Patrick Wardle took at closer look at that pre-installation script and discovered a root privilege escalation vulnerability. He also discovered a separate vulnerability that allowed malicious code to piggyback off Zoom’s camera and mic access.
  4. 30th March 2020 – The issue of Zoombombing got so bad that the FBI issued a warning of such hijacks.
  5. 31st March 2020 – Micah Lee and Yael Grauer wrote for The Intercept that Zoom’s meetings are not encrypted end-to-end, even though they are marketed to do so.
  6. 31st March 2020 – Lawrence Abrams wrote for Bleeping Computer that Zoom allows attackers to steal Windows credentials.
  7. 1st April 2020 – Joe Cox wrote for Motherboard again that Zoom was unintentionally revealing people’s email addresses and photos to strangers in its Company Directory setting.
  8. 2nd April 2020 – Trent Lo of KerbsOnSecurity and his team from SecKC created zWarDial, which could identify approximately 100 Zoom meeting IDs that were not password protected every hour.
  9. 3rd April 2020 – Micah Lee wrote for The Intercept again that Zoom’s chosen cryptography algorithm has severe weaknesses and it also retrieves encryption keys from servers in China so they may be legally required to disclose those keys to the Chineses government when pressured for them.

While Zoom has responded to most of the issues, if you are considering a different video conferencing software, perhaps consider Google Meet (our favourite), Microsoft Teams.

Comments 1

  1. Pingback: Major information disclosures are taking a toll in Singapore and around the region • Cybersecurity With Vigilance

Leave a Reply

Your email address will not be published. Required fields are marked *