This blog presents the latest updates about the Zoom security issues.
When I first saw that, I said well, sure, a lot of these vulnerabilities show up between time to time, there is nothing special. Especially, people that can enter rooms when knowing about the room’s IDs.
But after discovering backdoor vulnerability along with leaks of essential information like email addresses and photos, the Zoom platform literally is now a huge surface of hackers trying to use these vulnerabilities.
The first thing to know is that Zoom founder and CEO apologised for the security issues and has made and pledge to lock down development for 90 days to find and fix security and privacy flaws.
1) Zoom bombing:
basically, anyone can bomb a zoom meeting if they know the meeting number. This is easy because you just don’t give meeting numbers to everybody.
2) Windows password-stealing:
This is surprising because usually even not as big as Zoom companies don’t allow malicious malware to be uploaded.
Zoom chat is vulnerable to malicious malware so be aware of that.
Updates: this vulnerability is fixed by zoom.
3) iOS profile sharing:
until last week, Zoom send IOS user profiles to Facebook when using authentication via Facebook, claiming that they didn’t know.
Updates: This is fixed right now.
4) Phoney end-to-end encryption:
Zoom admits that they didn’t really use end-to-end encryption as they pretended. In short words, the data flying between clients to zoom is not encrypted and this is really dangerous.
This been said, Gal wrote that “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
5) Malware-like behaviour on Macs
Zoom used a hacker-like method to bypass normal macOS security precautions for a long time.
Updates: on April 2nd it has been said that the new version that “completely removes the questionable ‘preinstall’-technique and the faked password prompt.”
6) A backdoor for Mac malware
A hacker called Patrick Wardle demonstrated in Mars 30th how a local attacker — such as a malicious human or already-installed malware — could use Zoom’s magical powers of unauthorized installation to “escalate privileges” and gain total control over the machine without knowing the administrator password.
7) Leaks of email addresses and profile photos
Zoom automatically puts everyone sharing the same email domain into a “company” folder where they can see each other’s information. So aware of that when using Zoom with your company emails.
8) Sharing of personal data with advertisers
In my opinion, it is not just them!
Is all of this mean the Zoom unsafe to use? no
But as I said earlier, now that hackers are aware of the vulnerabilities it will be an attack surface.
Be aware of all that, do not click on anything unless you know what it is. Install anti-malware and anti-viruses.
Use a VPN in your connections.
The good news is that Zoom is fixing all of that and it will be better in the future.