Vulnerability Researchers Focus on Zoom Apps Security

With videoconferencings rise as an essential tool for remote work comes a downside: more security scrutiny, which has turned up a number of security weaknesses.

Working from home has become the new normal for many technology and knowledge workers, and along with the move to remote work, videoconferencing services — such as Zoom — have become a key technology linking people together.
Yet with popularity comes scrutiny.
Over the past month, researchers have begun turning up security and privacy flaws in the application, which has had success as a brand during the pandemic. In late March, for example, one red-team member found that Zoom would display universal naming convention (UNC) paths as links, which, if clicked, would send a username and password hash to an attacker-controlled system. In another report posted online, a researcher found two vulnerabilities in the Zoom client for MacOS.
Because so many workers continue to work remotely, Zoom and other videoconferencing applications will be examined more closely for security flaws, says Brian Gorenc, director of vulnerability research and head of cybersecurity firm Trend Micros ZDI program.
Were in an unprecedented time with regard to the amount of people working remotely, he says. All of the products that enable this – VPNs, video chat, 2FA [and others] – will receive increased scrutiny from researchers and attackers alike.
Zoom, in particular, has had a rough few weeks. Attackers have started registering domains that appear related to the company, with
more than 1,700 Zoom-themed domains registers globally
. On March 30, the FBI office in Boston warned videoconferencing platforms and schools that the law enforcement agency had received reports that conference calls were being Zoom-bombed by pornographic and hate images during school lectures.
Finally, critics have accused Zoom of
being too expansive with its use of the term end-to-end encryption.
The company has likely not see the end of the security and privacy scrutiny, says Carl Livitt, principal researcher at penetration-testing firm Bishop Fox.
We are starting to see the first drips of the bugs right now, he says. But researchers often, when they find one bug, see something else super interesting and make a note of it. I would not be surprised in the slightest if more bugs fall out because of this attention.
The sudden popularity of Zoom has added to the scrutiny. Zooms business has expanded from about 10 million meeting participants per day in December 2019 to more than 200 million meeting participants per day in March. The surge, which includes more than 90,000 schools in 20 countries, has made reliability the top issue for the company, the firm said in
a statement on April 1
. And now that security is getting more attention, the company has pledged to fix issues quickly.

[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home, the company said. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.
At least three issues have been publicized in the last month. One penetration tester found that a Zoom chat could be used to
post links in the universal naming convention (UNC) format
, which could be used to capture a username and password hash if a user clicked on a link that connected to a server message block (SMB) server.
A second cybersecurity specialist showed a screenshot of a proof-of-concept of the attack. Here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks,
wrote @hackerfantastic on Twitter.
Zoom acknowledged the issue. At Zoom, ensuring the privacy and security of our users and their data is paramount, the company said in a statement sent to Dark Reading. We are aware of the UNC issue and are working to address it.
Yet another researcher publicized two other issues with Zoom on the MacOS operating system — a privilege escalation attack and code injection attack. Both vulnerabilities are
a result of Zoom circumventing a specific security function of the MacOS
.
Felix Seele, the technical lead at static and behavioral analysis firm VMRay, criticized the companys Mac OS installer for the way it circumvents user input during installation in the name of — what Zoom says — is the desire for a good user experience.
This is not strictly malicious but very shady and definitely leaves a bitter aftertaste, Seele
wrote on Twitter
. The application is installed without the user giving his final consent, and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.
The companys CEO replied to Seeles criticism of the circumvention on Twitter.
We implemented [this] to balance the number of clicks given the limitations of the standard technology, Eric S. Yuan, founder and CEO of Zoom,
wrote on Twitter
. To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others. Your point is well taken and we will continue to improve.
Bishop Foxs Livitt points out that other platforms have had to deal with security scrutiny over the years. When Cisco bought WebEx, that videoconferencing platform had to weather
a spate
of
bug reports
as well.
Yet Zooms decision to work around platform security for an arguably smoother user experience suggests the company, or its developers, may not support mature security processes, Livitt says.
In the end, the platform provided these security controls and they deliberately turned them off, and no one really knows why, he says. If there are security flags being disabled by developers, then that means their software development life cycle is not as mature as it should be.
Related Content:
Latest Security News & Commentary about COVID-19
Researchers Spot Sharp Increase in Zoom-Themed Domain Registrations
Cisco Webex & Zoom Bug Lets Attackers Spy on Conference Calls
Videoconferencing Can Be The Bug In The Boardroom
Videoconferencing Systems Vulnerable To Hackers
Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Untangling Third-Party Risk (and Fourth, and Fifth...)
.

Last News
▸ Google has three months to comply with privacy law. ◂ Discovered: 26/12/2024 Category: security	▸ Firefox improves Do Not Track feature. ◂ Discovered: 26/12/2024 Category: security	▸ Crime Scene Investigation: Atlanta? No, its Phone Fingerprinting. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Vulnerability Researchers Focus on Zoom Apps Security