Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Vulnerability Researchers Focus on Zoom App's Security

With videoconferencing's rise as an essential tool for remote work comes a downside: more security scrutiny, which has turned up a number of security weaknesses.

Working from home has become the new normal for many technology and knowledge workers, and along with the move to remote work, videoconferencing services — such as Zoom — have become a key technology linking people together.

Yet with popularity comes scrutiny. 

Over the past month, researchers have begun turning up security and privacy flaws in the application, which has had success as a brand during the pandemic. In late March, for example, one red-team member found that Zoom would display universal naming convention (UNC) paths as links, which, if clicked, would send a username and password hash to an attacker-controlled system. In another report posted online, a researcher found two vulnerabilities in the Zoom client for MacOS.

Because so many workers continue to work remotely, Zoom and other videoconferencing applications will be examined more closely for security flaws, says Brian Gorenc, director of vulnerability research and head of cybersecurity firm Trend Micro's ZDI program.

"We're in an unprecedented time with regard to the amount of people working remotely," he says. "All of the products that enable this – VPNs, video chat, 2FA [and others] – will receive increased scrutiny from researchers and attackers alike."

Zoom, in particular, has had a rough few weeks. Attackers have started registering domains that appear related to the company, with more than 1,700 Zoom-themed domains registers globally. On March 30, the FBI office in Boston warned videoconferencing platforms and schools that the law enforcement agency had received reports that conference calls were being "Zoom-bombed" by pornographic and hate images during school lectures.

Finally, critics have accused Zoom of being too expansive with its use of the term "end-to-end encryption."

The company has likely not see the end of the security and privacy scrutiny, says Carl Livitt, principal researcher at penetration-testing firm Bishop Fox.

"We are starting to see the first drips of the bugs right now," he says. "But researchers often, when they find one bug, see something else super interesting and make a note of it. I would not be surprised in the slightest if more bugs fall out because of this attention."

The sudden popularity of Zoom has added to the scrutiny. Zoom's business has expanded from about 10 million meeting participants per day in December 2019 to more than 200 million meeting participants per day in March. The surge, which includes more than 90,000 schools in 20 countries, has made reliability the top issue for the company, the firm said in a statement on April 1. And now that security is getting more attention, the company has pledged to fix issues quickly.
 
"[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," the company said. "Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users."

At least three issues have been publicized in the last month. One penetration tester found that a Zoom chat could be used to post links in the universal naming convention (UNC) format, which could be used to capture a username and password hash if a user clicked on a link that connected to a server message block (SMB) server. 

A second cybersecurity specialist showed a screenshot of a proof-of-concept of the attack. "Here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks," wrote @hackerfantastic on Twitter.

Zoom acknowledged the issue. "At Zoom, ensuring the privacy and security of our users and their data is paramount," the company said in a statement sent to Dark Reading. "We are aware of the UNC issue and are working to address it."

Yet another researcher publicized two other issues with Zoom on the MacOS operating system — a privilege escalation attack and code injection attack. Both vulnerabilities are a result of Zoom circumventing a specific security function of the MacOS

Felix Seele, the technical lead at static and behavioral analysis firm VMRay, criticized the company's Mac OS installer for the way it circumvents user input during installation in the name of — what Zoom says — is the desire for a good user experience. 

"This is not strictly malicious but very shady and definitely leaves a bitter aftertaste," Seele wrote on Twitter. "The application is installed without the user giving his final consent, and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware."

The company's CEO replied to Seele's criticism of the circumvention on Twitter.

"We implemented [this] to balance the number of clicks given the limitations of the standard technology," Eric S. Yuan, founder and CEO of Zoom, wrote on Twitter. "To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others. Your point is well taken and we will continue to improve."

Bishop Fox's Livitt points out that other platforms have had to deal with security scrutiny over the years. When Cisco bought WebEx, that videoconferencing platform had to weather a spate of bug reports as well. 

Yet Zoom's decision to work around platform security for an arguably smoother user experience suggests the company, or its developers, may not support mature security processes, Livitt says.

"In the end, the platform provided these security controls and they deliberately turned them off, and no one really knows why," he says. "If there are security flags being disabled by developers, then that means their software development life cycle is not as mature as it should be."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...