Most of the online services have gained significant traction during the current Coronavirus lockdown situation and the major ones are the video calling services. The one name that is currently in the news is Zoom. The business video calling app has risen to a different level of popularity now, with it reaching around 200 million users in March, both paid and free.
However, the immense popularity of the Zoom app was followed by some issues and the most-used video calling app right now is prone to security issues you must know of.
Zoom video calling app security issues
The Zoom video calling app is being used by both businesses and the general audience who just need to stay in touch with people during the quarantine. As the usage surged, the presence of security flaws surfaced. Zoom was found sending user data to Facebook on iOS if users selected the ‘Login with Facebook’ feature. This was due to the Facebook SDK (software development kit), which the company has now removed.
Another in(famous) issue is the ‘Zoombombings’ one. Zoom has a screen sharing feature that allows one user to send texts, messages to another user on his or her screens. This feature was exploited and resulted in adult videos on the screens of users during a WFH Happy Hour video calling hosted by The Verge.
Security Researchers have found out that the Zoom app is susceptible to various security issues. It began creating directories of its own and sharing email addresses of people with one another when they didn’t even know each other. This way, Zoom indulged in a privacy breach and shared users’ information with others when they didn’t even ask for it.
One major issue that Zoom has is that it claims to be end-to-end encrypted. However, that’s not the case. Zoom video and audio content are transport encrypted, much like the HTTPS websites are. This means that while a hacker might not be able to access the audio and video on Zoom, the company can.
Adding onto the list, users’ microphones and cameras can be accessed by hackers on a Mac and Windows passwords can be stolen. Furthermore, there is another Zoom vulnerability that exposes users’ LinkedIn profiles if they have subscribed to LinkedIn Sales Navigator. The data mining tool by Zoom is expected to be disabled soon.
Hi @zoom_us & @NCSC - here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO— Hacker Fantastic (@hackerfantastic) March 31, 2020
Zoom seems to be working on this
Since the number of security issues is also increasing much like its usage, Zoom has finally acted upon it and released a blog post suggesting the solutions it has for us. The blog post talks about what Zoom has done so far to deal with the issues and what it will do.
In addition to this, Zoom has stated, “However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” suggesting that it was meant to be an enterprise product and not a consumer product.
While Zoom admits to lack in serving consumers with the utmost safety and aims to get there, we hope it does fill in all the security gaps so that it doesn’t fall down and hit rock bottom.