Zoom videoconferencing has become the platform of choice in the midst of the COVID-19 lockdown. Security vulnerabilities have been unveiled that could allow attackers to covertly control user’s computers.
Some argue that criticism against Zoom is unfair and that the company could not have anticipated the surge in the service’s usage due to the pandemic. The service was originally designed for business use but now consumers are flocking to it within a few weeks and using it for school classes, training etc.
CLAIMS FROM DROPBOX FORMER EMPLOYEES
Former Dropbox engineers claim that their company grew concerned that vulnerabilities in Zoom videoconferencing system might compromise their own network and this led the company, back in 2018, to begin offering rewards to hackers to find vulnerabilities in Zoom’s software. The former Dropbox engineers said that they were stunned by the volume and severity of the security flaws discovered and Zoom was really slow in fixing them.
After Dropbox presented the hackers’ findings from the Singapore event to Zoom Video Communications, the California company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability only after another hacker publicized a different security flaw with the same root cause.
WHAT WERE THESE FINDINGS?
The findings included moderate problems, like the ability for attackers to take over users’ actions on the Zoom web app, and more serious security flaws like the ability for attackers to run malicious code on computers using Zoom software.
As part of an annual companywide hacking competition in 2018, Dropbox engineers created a knockoff of Zoom — they called it “Vroom” — and challenged employees to hack it. The Dropbox employees successfully obtained Vroom meeting codes, which would have allowed them to crash hypothetical Vroom meetings. The idea of the exercise, former Dropbox employees said, was to teach Dropbox engineers to avoid making some of the security mistakes that Zoom had made.
Some former employees said Dropbox also prompted Zoom to introduce additional security measures, including a virtual waiting room feature that now allows meeting organizers to vet each participant before letting them into a videoconference.
OTHER COMPANIES FOUND MORE FLAWS
Dropbox employees weren’t the only ones finding problems. In late 2018, David Wells, a senior research engineer at Tenable, a security vulnerability assessment company, uncovered a serious flaw in Zoom that would have allowed an attacker to remotely disrupt a meeting — without even being on the call. Among other things, Wells reported that an attacker could take over a Zoom user’s screen controls, enter keystrokes and covertly install malware on their computer.
Wells also found the vulnerability allowed him to post messages in Zoom chats under other people’s names and kick people off meetings. Wells, who reported his findings directly to Zoom, said Zoom quickly patched the flaws.