All of a sudden, the Zoom conference app looks like a basket case. In the space of 10 days, it’s stopped being every stuck-at-home’s darling and morphed into the service we love to hate.
In an astounding run of bad PR, Zoom is accused of selling private data to Facebook, being a conduit for malware, using a secret pseudo sudo, and lying about using E2EE.
Plus, it’s now the subject of a class-action suit and scrutiny by the New York AG. In this week’s Security Blogwatch, we’re happy as Fat Larry.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Horse.
And you gave that to me?
Suddenly, Joseph Cox was on the moon—the Zoom iOS app was sending analytics information to Facebook:
Video-conferencing software Zoom issued an update to its iOS app which stops it sending certain pieces of data to Facebook … timezone, city, and device details. … Zoom's privacy policy did not make the data transfer to Facebook clear.
“Zoom takes its users’ privacy extremely seriously. … We were recently made aware that the Facebook SDK was collecting unnecessary device data. … We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data," Zoom's statement concluded.
Flying high in a neon sky, it’s Joel Rosenblatt—Zoom Sued for Allegedly Illegally Disclosing Personal Data:
Zoom Video Communications Inc. was sued by a user who claims the popular video-conferencing service is illegally disclosing personal information. … The company’s “wholly inadequate program design and security measures have resulted, and will continue to result, in unauthorized disclosure of its users’ personal information,” according to the complaint.
…
Zoom … shares it, without proper notice, to third parties including Facebook Inc., according to the lawsuit, filed Monday in federal court in San Jose, California. … According to the suit, Zoom’s privacy policy doesn’t explain to users that its app contains code that discloses information to Facebook and potentially other third parties.
…
Robert Cullen of Sacramento is seeking to represent other users and asked for a declaration that Zoom violated California’s Consumer Privacy Act. … The case is Cullen v. Zoom Video Communications, No. 20-cv-02155, U.S. District Court for the Northern District of California (San Jose).
Bang, Lawrence Abrams and all the church bells rang—Zoom Client Leaks Windows Login Credentials to Attackers:
The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link. … Security researcher @_g0dmode discovered that the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well.
…
If a user clicks on [it] Windows will send the user's login name and their NTLM password hash, which can be cracked using free tools [in seconds]. [It] can also be used to launch programs on a local computer when a link is clicked.
Heaven called and Felix Seele sang—@c1truz_:
Ever wondered how the Zoom macOS installer does its job without you ever clicking install? Turns out they (ab)use preinstallation scripts.
…
Very shady and definitely leaves a bitter aftertaste. The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges.
…
That is a very bad practice and trains users to just blindly enter their password everywhere. That same technique is already used by real, harmful malware samples.
…
The “one-click install” could be considered “creative” … but the system impersonation definitely crosses a line.
Sunrise shine in the midnight sky—@DanAmodio replies:
zoomAutenticationTool will run whatever script you give it, and ask you to authenticate as System. It's like they wrote their own sudo tool. Don't think you can weaponize but weird practice.
Oh Zoom, Kate Kozuch chased the app away—How to delete Zoom:
Despite the video conferencing software's recent surge in popularity, and loads of people stuck at home learning how to use Zoom, you might have decided it's not for you. [Perhaps you] are concerned about it collecting personal data about you from to share with advertisers.
…
Here's how to delete Zoom and your Zoom account on your devices.
High noon, Micah Lee and Yael Grauer came out to play—Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing:
Zoom … claims to implement end-to-end encryption, widely understood as the most private form of internet communication. … In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio.
…
The meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface. [But it] actually does not support end-to-end encryption for video and audio content.
…
A Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. … TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
…
So when you have a Zoom meeting, the video and audio content … won’t stay private from the company. … The only feature of Zoom that does appear to be end-to-end encrypted is in-meeting text chat.
Then, Danny Hakim’s and Natasha Singer’s whole wide world went zoom—New York Attorney General Looks Into Zoom’s Privacy Practices:
The office of New York’s attorney general, Letitia James … sent Zoom a letter asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers. … It outlined several concerns, noting that the company had been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”.
…
As Zoom’s popularity has grown, the app has scrambled to address a series of data privacy and security problems, a reactive approach that has led to complaints from some consumer, privacy and children’s groups. … In the letter, Ms. James’s office cited reports that Zoom had shared data with Facebook, and asked for further information on “the categories of data that Zoom collects, as well as the purposes and entities to whom Zoom provides consumer data.” [And it] expressed concern that the app may be circumventing state requirements protecting student data.
…
The company said it took “its users’ privacy, security and trust extremely seriously. [We] are happy to provide her with the requested information.”
Meanwhile, Arvind Narayanan—@random_walker—is high as a rainbow as we went flying by:
Every day there's a fresh Zoom privacy/security horror story. Why now, all at once?
It's simple: The problems aren't new but suddenly everyone is forced to use Zoom. That means more people discovering problems and also more frustration because opting out isn't an option.
…
If Zoom cares to resurrect its reputation, it needs to do four things right away:
- Stop acting like malware. … It's a dangerous slippery slope that makes it harder for the OS to block actual malware and creates new security risks for users.
- Get out of the advertising business. [Zoom] has no reason to turn the user into the product.
- Redesign the software to create a more respectful balance of power between meeting hosts … and participants. …
- I can’t believe I have to say this, but stop lying.
The moral of the story?
Shadows are blowing as NASDAQ:ZM roses bloom.
And finally
You can do it. We believe in you. Yeah. Nice.
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Alan Levine (cc:by)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
