Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Vulnerability Researchers Focus on Zoom App's Security

With videoconferencing's rise as an essential tool for remote work comes a downside: more security scrutiny, which has turned up a number of security weaknesses.

Working from home has become the new normal for many technology and knowledge workers, and along with the move to remote work, videoconferencing services — such as Zoom — have become a key technology linking people together.

Yet with popularity comes scrutiny. 

Over the past month, researchers have begun turning up security and privacy flaws in the application, which has had success as a brand during the pandemic. In late March, for example, one red-team member found that Zoom would display universal naming convention (UNC) paths as links, which, if clicked, would send a username and password hash to an attacker-controlled system. In another report posted online, a researcher found two vulnerabilities in the Zoom client for MacOS.

Because so many workers continue to work remotely, Zoom and other videoconferencing applications will be examined more closely for security flaws, says Brian Gorenc, director of vulnerability research and head of cybersecurity firm Trend Micro's ZDI program.

"We're in an unprecedented time with regard to the amount of people working remotely," he says. "All of the products that enable this – VPNs, video chat, 2FA [and others] – will receive increased scrutiny from researchers and attackers alike."

Zoom, in particular, has had a rough few weeks. Attackers have started registering domains that appear related to the company, with more than 1,700 Zoom-themed domains registers globally. On March 30, the FBI office in Boston warned videoconferencing platforms and schools that the law enforcement agency had received reports that conference calls were being "Zoom-bombed" by pornographic and hate images during school lectures.

Finally, critics have accused Zoom of being too expansive with its use of the term "end-to-end encryption."

The company has likely not see the end of the security and privacy scrutiny, says Carl Livitt, principal researcher at penetration-testing firm Bishop Fox.

"We are starting to see the first drips of the bugs right now," he says. "But researchers often, when they find one bug, see something else super interesting and make a note of it. I would not be surprised in the slightest if more bugs fall out because of this attention."

The sudden popularity of Zoom has added to the scrutiny. Zoom's business has expanded from about 10 million meeting participants per day in December 2019 to more than 200 million meeting participants per day in March. The surge, which includes more than 90,000 schools in 20 countries, has made reliability the top issue for the company, the firm said in a statement on April 1. And now that security is getting more attention, the company has pledged to fix issues quickly.
 
"[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," the company said. "Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users."

At least three issues have been publicized in the last month. One penetration tester found that a Zoom chat could be used to post links in the universal naming convention (UNC) format, which could be used to capture a username and password hash if a user clicked on a link that connected to a server message block (SMB) server. 

A second cybersecurity specialist showed a screenshot of a proof-of-concept of the attack. "Here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks," wrote @hackerfantastic on Twitter.

Zoom acknowledged the issue. "At Zoom, ensuring the privacy and security of our users and their data is paramount," the company said in a statement sent to Dark Reading. "We are aware of the UNC issue and are working to address it."

Yet another researcher publicized two other issues with Zoom on the MacOS operating system — a privilege escalation attack and code injection attack. Both vulnerabilities are a result of Zoom circumventing a specific security function of the MacOS

Felix Seele, the technical lead at static and behavioral analysis firm VMRay, criticized the company's Mac OS installer for the way it circumvents user input during installation in the name of — what Zoom says — is the desire for a good user experience. 

"This is not strictly malicious but very shady and definitely leaves a bitter aftertaste," Seele wrote on Twitter. "The application is installed without the user giving his final consent, and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware."

The company's CEO replied to Seele's criticism of the circumvention on Twitter.

"We implemented [this] to balance the number of clicks given the limitations of the standard technology," Eric S. Yuan, founder and CEO of Zoom, wrote on Twitter. "To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others. Your point is well taken and we will continue to improve."

Bishop Fox's Livitt points out that other platforms have had to deal with security scrutiny over the years. When Cisco bought WebEx, that videoconferencing platform had to weather a spate of bug reports as well. 

Yet Zoom's decision to work around platform security for an arguably smoother user experience suggests the company, or its developers, may not support mature security processes, Livitt says.

"In the end, the platform provided these security controls and they deliberately turned them off, and no one really knows why," he says. "If there are security flags being disabled by developers, then that means their software development life cycle is not as mature as it should be."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21620
PUBLISHED: 2021-02-24
A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.
CVE-2021-21621
PUBLISHED: 2021-02-24
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.
CVE-2021-21622
PUBLISHED: 2021-02-24
Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-28599
PUBLISHED: 2021-02-24
A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2020-7846
PUBLISHED: 2021-02-24
Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. It finally leads to a file download and execution via access to crafted web page.