UPDATED April 3 with additional issues.
UPDATED with details of blog post by Zoom's founder and CEO spelling out fixes Zoom has made and pledge to lock down development for 90 days to find and fix security and privacy flaws, and with blog post by Zoom's chief product officer regarding Zoom's use of end-to-end encryption.
Are you using Zoom yet? It seems that everyone in America who's been forced to work, or do schoolwork, from home during the coronavirus lockdown is using the video-conferencing platform for meetings, classes and even social gatherings.
There are good reasons Zoom has taken off and other platforms haven't. Zoom is easy to set up, easy to use and lets up to 100 people join a meeting for free. It just works.
But there's a downside. Zoom's ease of use makes it easy for troublemakers to "bomb" open Zoom meetings, and for hackers to inject malware into a machine running Zoom. There's also been a lot of scrutiny about Zoom's privacy policy, which until recently seemed to give Zoom the right to do whatever it saw fit with any user's personal data.
Given the soaring usage of the Zoom platform during the coronavirus lockdown, and the near-doubling of its stock price since the beginning of February, Zoom has come under intense scrutiny from security professionals and privacy advocates. And boy, have they found stuff.
We've already mentioned that anyone can "bomb" a public Zoom meeting if they know the meeting number, and then use the file-share photo to post shocking images, or make annoying sounds in the audio. The FBI even warned about it a few days ago.
The host of the Zoom meeting can mute or even kick out troublemakers, but they can come right back with new user IDs. The best way to avoid Zoom bombing is to not share Zoom meeting numbers with anyone but the intended participants. You can also require participants to use a password to log into the meeting.
STATUS: There are easy ways to avoid Zoom bombing, which we go through here.
Zoom meetings have side chats in which participants can sent text-based messages and post web links.
But according to Twitter user @_g0dmode and Anglo-American cybersecurity training firm Hacker House, Zoom makes no distinction between regular web addresses and a different kind of remote networking link called a Universal Naming Convention (UNC) path.That leaves Zoom chats vulnerable to attack.
If a malicious Zoom bomber slipped a UNC path to a remote server that he controlled into a Zoom meeting chat, an unwitting participant could click on it.
The participant's Windows computer would then try to reach out to the hacker's remote server specified in the path and automatically try to log into it using the user's Windows username and password.
The hacker could capture the password "hash" and decrypt it, giving him access to the Zoom user's Windows account.
UPDATE: Yuan's blog post says Zoom has now fixed this problem.
STATUS: Fixed, apparently.
Mohamed A. Baset of security firm Seekurity said on Twitter that the same flaw also lets a hacker insert a UNC path to a remote executable file into a Zoom meeting chatroom.
If a Zoom user running Windows clicks on it, a video posted by Baset showed, the user's computer will try to load and run the software. The victim will be prompted to authorize the software to run, which will stop some hacking attempts but not all.
STATUS: If the UNC filepath issue is fixed, then this should be as well.
Until last week, Zoom sent iOS user profiles to Facebook as part of the "log in with Facebook" feature in the iPhone and iPad Zoom apps. After Vice News exposed the practice, Zoom said it hadn't been aware of the profile-sharing and updated the iOS apps to fix this.
STATUS: Fixed.
Zoom claims that its meetings use "end-to-end encryption" if every participant calls in from a computer or a Zoom mobile app instead of over the phone.But under pressure from The Intercept, a Zoom representative admitted that Zoom's definitions of "end-to-end" and of "endpoint" is a bit different from everyone else's.
"When we use the phrase 'End to End'," a Zoom spokeperson told The Intercept, "it is in reference to the connection being encrypted from Zoom end point to Zoom end point."
Sound good, but the spokesperson clarified that he counted a Zoom server as an endpoint. Every other company considers a user device -- a desktop, laptop, smartphone or tablet -- as an endpoint, but not a server.
In other words, the data is encrypted when it travels from a Zoom client application on a computer or mobile device (an endpoint, in networking lingo) to a Zoom server, or vice versa.It's decrypted at the server, and Zoom can see and hear it.
Every other company uses "end-to-end" to mean fully encrypted from one endpoint to another. When you send an Apple Message from your iPhone to another iPhone user, Apple's servers help the message get from one place to another, but they can't read the content.
Not so with Zoom. It can see whatever is going on in its meetings, and it pretty much has to in order to make sure everything works properly. Just don't believe the implication that it can't.
UPDATE: In a blog post April 1, Zoom Chief Product Officer Oded Gal wrote that "we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. "
"We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," he wrote.
Gal assured users that all data sent and received by Zoom client applications (but not regular phone lines, business conferencing systems or, presumably, browser interfaces) is indeed encrypted and that Zoom servers or staffers "do not decrypt it at any point before it reaches the receiving clients."
However, Gal added, "Zoom currently maintains the key management system for these systems in the cloud" but has "implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings."
The implication is that Zoom doesn't decrypt user transmissions -- but because it holds the encryption keys, it could if it had to.
For those worried about government snooping, Gal wrote that "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list."
And he added that companies and other enterprises would soon be able to handle their own encryption process.
"A solution will be available later this year to allow organizations to leverage Zooms cloud infrastructure but host the key management system within their environment."
STATUS: This is an issue of misleading advertising rather than an actual bug. We hope Zoom stops using the term incorrectly.
We learned last summer that Zoom used hacker-like methods to bypass normal macOS security precautions. We thought that problem had been fixed along with the security flaw it created.
But a series of tweets March 30 from security researcher Felix Seele, who noticed that Zoom installed itself on his Mac without the usual user authorization, reveals that there's still an issue.
"They (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed)," Seele wrote.
"The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware."(Seele elaborated in a more user-friendly blog post here.)
Zoom founder and CEO Eric S. Yuan tweeted a friendly response.
"To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others," Yuan wrote. "Your point is well taken and we will continue to improve."
UPDATE: In a new tweet April 2, Seele said Zoom had released a new version of the Zoom client for macOS that "completely removes the questionable 'preinstall'-technique and the faked password prompt."
"I must say that I am impressed. That was a swift and comprehensive reaction. Good work, @zoom_us!" Seele added.
STATUS: Fixed.
Plenty of "others" could indeed use Zoom's dodgy installation methods, renowned Mac hacker Patrick Wardle said in a blog post March 30.
Wardle demonstrated how a local attacker -- such as a malicious human or already-installed malware -- could use Zoom's magical powers of unauthorized installation to "escalate privileges" and gain total control over the machine without knowing the administrator password.
Wardle also showed that a malicious script installed into the Zoom Mac client could give any piece of malware Zoom's webcam and microphone privileges, which do not prompt the user for authorization and could turn any Mac with Zoom installed into a potential spying device.
"This affords malware the ability to record all Zoom meetings, or simply spawn Zoom in the background to access the mic and webcam at arbitrary times," Wardle wrote.
UPDATE: Yuan's blog post says Zoom has fixed these flaws.
STATUS: Fixed.
Zoom automatically puts everyone sharing the same email domain into a "company" folder where they can see each other's information.
Exceptions are made for people using large webmail clients such as Gmail, Yahoo, Hotmail or Outlook.com, but not apparently for smaller webmail providers that Zoom might not know about.
Several Dutch Zoom users who use ISP-provided email addresses suddenly found that they were in the same "company" with dozens of strangers -- and could see their email addresses, user names and user photos.
STATUS: Unknown.
Several privacy experts, some working for Consumer Reports, pored over Zoom's privacy policy and found that it apparently gave Zoom the right to use Zoom users' personal data and to share it with third-party marketers.
Following a Consumer Reports blog post, Zoom quickly rewrote its privacy policy, stripping out the most disturbing passages and asserting that "we do not sell your personal data."
STATUS: Unknown. We don't know the details of Zoom's business dealings with third-party advertisers.
Does all this mean that Zoom is unsafe to use? No.
You just need to be aware that the Zoom software creates a huge "attack surface," as security professionals like to say, and that hackers are going to try to come at it every way they can. They're already registering lots of Zoom-related phony domains and developing Zoom-themed malware.
The upside is that if lots of flaws in Zoom are found now and fixed soon, then Zoom will be the better -- and safer -- for it.
"Zoom will soon be the most secure conferencing tool out there," wrote tech journalist Kim Zetter on Twitter April 1. "But too bad they didn't save themselves some grief and engage in some security assessments of their own to avoid this trial by fire."
In a blog post April 1, Zoom CEO and founder Eric S. Yuan acknowledged Zoom's growing pains and pledged that all regular development of the Zoom platform would be put on hold while the company worked to fix security and privacy issues.
"We recognize that we have fallen short of the community's -- and our own -- privacy and security expectations," Yuan wrote, explaining that Zoom was originally developed for large businesses that had in-house IT staffers who could set up and run the software.
"We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived," he said. "These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones."
To deal with these issues, Yuan wrote, Zoom would be "enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues."
Among other things, Zoom would also be "conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases."
Privacy researcher Patrick Jackson noticed that Zoom meeting recordings saved to the host's computer generally get a certain type of file name. So he searched unprotected cloud servers to see if anyone had uploaded Zoom recordings and found more than 15,000 unprotected examples, according to The Washington Post. Jackson also found some recorded Zoom meetings on YouTube and Vimeo.
This isn't really Zoom's fault. It's up to the host to decide whether to record a meeting, and Zoom gives paying customers the option to store recordings on Zoom's own servers.
If you host a Zoom meeting and decide to record it, then make sure you change the default file name after you're done.
STATUS: Not really Zoom's problem, to be honest.
You can find open Zoom meetings by rapidly cycling through possible Zoom meeting IDs, a security researcher told independent security blogger Brian Krebs.
The researcher got past Zoom's meeting-scan blocker by running queries through Tor, which randomized his IP address. It's a variation on "war driving" by randomly dialing telephone numbers to find open modems in the dial-up days.
The researcher told Krebs that he could find about 100 open Zoom meetings every hour with the tool, and that "having a password enabled on the [Zoom] meeting is the only thing that defeats it."
STATUS: Unknown.
Two Twitter users pointed out that if you're in a Zoom meeting and use a private window in the meeting's chat app to communicate privately with another person in the meeting, that conversation will be visible in the end-of-meeting transcript the host receives.
STATUS: Unknown.
Today's best Webcams deals
Creative Labs 73VF070000000...
Microsoft 6CH-00001 LifeCam...
New Logitech HD Pro Webcam...
Logitech C920 Webcam - 30 fps...
Read the rest here:
Zoom privacy and security issues: Here's everything that's wrong (so far) - Tom's Guide
- Setting up a Virtual Server on Ninefold - Video [Last Updated On: February 26th, 2012] [Originally Added On: February 26th, 2012]
- ScaleXtreme Automates Cloud-Based Patch Management For Virtual, Physical Servers [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Secure Cloud Computing Software manages IT resources. [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Dell unveils new servers, says not a PC company [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Wyse to Launch Client Infrastructure Management Software as a Service, Enabling Simple and Secure Management of Any ... [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- As the App Culture Builds, Dell Accelerates its Shift to Services with New Line of Servers, Flash Capabilities [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Terraria - Cloud In A Ballon - Video [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- Ethernet Alliance Interoperability Demo Showcases High-Speed Cloud Connections [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- RSA and Zscaler Teaming Up to Deliver Trusted Access for Cloud Computing [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- [NEC Report from MWC2012] NEC-Cloud-Marketplace - Video [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- IBM SmartCloud Virtualized Server Recovery - Video [Last Updated On: February 28th, 2012] [Originally Added On: February 28th, 2012]
- BeyondTrust Launches PowerBroker Servers Windows Edition [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- Ericsson joins OpenStack cloud infrastructure community [Last Updated On: February 29th, 2012] [Originally Added On: February 29th, 2012]
- ScaleXtreme Cloud-Based Patch Management Open for New Customers [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- RootAxcess - Getting Started - Video [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- How to Create a Terraria Server 1.1.2 (All Links Provided) - Video [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Dell #1 in Hyperscale Servers (Steve Cumings) - Video [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- Managing SAP on Power Systems with Cloud technologies delivers superior IT economics - Video [Last Updated On: March 1st, 2012] [Originally Added On: March 1st, 2012]
- AMD Acquires Cloud Server Maker SeaMicro for $334M USD [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- Web Host 1&1 Provides More Flexibility with Dynamic Cloud Server [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- Leap Day brings down Microsoft's Azure cloud service [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- RightMobileApps White Label Program - Video [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- bzst server ban #2 - Video [Last Updated On: March 3rd, 2012] [Originally Added On: March 3rd, 2012]
- “Cloud storage served from an array would cost $2 a gigabyte” [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- More Flexibility with the 1&1 Dynamic Cloud Server [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- Hub’s future jobs may be in cloud [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- Cloud computing growing jobs, says Microsoft [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- TurnKey Internet Launches WebMatrix, a New Application in Partnership with Microsoft [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- Cebit 2012: SAP Cloud Computing Strategy - Introduction - Video [Last Updated On: March 6th, 2012] [Originally Added On: March 6th, 2012]
- Dome9 Security Launches Industry's First Free Cloud Security for Unlimited Number of Servers [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Servers Are Refreshed With Intel's New E5 Chips [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Samsung's AllShare Play pushes pictures from phone to cloud and TV [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Google drops the price of Cloud Storage service [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- New Intel Server Technology: Powering the Cloud to Handle 15 Billion Connected Devices [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Swisscom IT Services Launches Cloud Storage Services Powered by CTERA Networks [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- KineticD Releases Suite of Cloud Backup Offerings for SMBs [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- First Look: Samsung Allshare Play - Video [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- Bill The Server Guy Introduces the New Intel XEON e5-2600 (Romley) Server CPU's - Video [Last Updated On: March 7th, 2012] [Originally Added On: March 7th, 2012]
- New Cisco servers have Intel Xeon E5 inside [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- Cisco rolls out UCS servers with Intel Xeon E5 chips [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- From scooters to servers: The best of Launch, Day One [Last Updated On: March 8th, 2012] [Originally Added On: March 8th, 2012]
- Computer Basics: What is the Cloud? - Video [Last Updated On: March 9th, 2012] [Originally Added On: March 9th, 2012]
- Could the digital 'cloud' crash? [Last Updated On: March 10th, 2012] [Originally Added On: March 10th, 2012]
- Dome9 Security Launches Free Cloud Security For Unlimited Number Of Servers [Last Updated On: March 10th, 2012] [Originally Added On: March 10th, 2012]
- Cloud computing 'made in Germany' stirs debate at CeBIT [Last Updated On: March 11th, 2012] [Originally Added On: March 11th, 2012]
- New Key Technology Simplifies Data Encryption in the Cloud [Last Updated On: March 11th, 2012] [Originally Added On: March 11th, 2012]
- Can a private cloud drive energy efficiency in datacentres? [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- Porticor's new key technology simplifies data encryption in the cloud [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- Borders + Gratehouse Adds Three New Clients in Cloud Sector [Last Updated On: March 12th, 2012] [Originally Added On: March 12th, 2012]
- Dell to invest $700 mn in R&D, unveils 12G servers [Last Updated On: March 13th, 2012] [Originally Added On: March 13th, 2012]
- Defiant Kaleidescape To Keep Shipping Movie Servers [Last Updated On: March 13th, 2012] [Originally Added On: March 13th, 2012]
- Data Centre Transformation Master Class 3: Cloud Architecture - Video [Last Updated On: March 13th, 2012] [Originally Added On: March 13th, 2012]
- DotNetNuke Tutorial - Great hosting tool - PowerDNN Control Suite - part 1/3 - Video #310 - Video [Last Updated On: March 13th, 2012] [Originally Added On: March 13th, 2012]
- Cloud Computing - 28/02/12 - Video [Last Updated On: March 13th, 2012] [Originally Added On: March 13th, 2012]
- SYS-CON.tv @ 9th Cloud Expo | Nand Mulchandani, CEO and Co-Founder of ScaleXtreme - Video [Last Updated On: March 13th, 2012] [Originally Added On: March 13th, 2012]
- Oni Launches New Cloud Services for Enterprises Using CA Technologies Cloud Platform [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- SmartStyle Advanced Technology - Video [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- SmartStyle Infrastructure - Video [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- The Hidden Risk of a Meltdown in the Cloud [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- FireHost Launches Secure Cloud Data Center in Phoenix, Arizona [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- Panda Security Launches New Channel Partner Recruitment Campaign: "Security to the Power of the Cloud" [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- NetSTAR, Inc. Announces Safe and Secure Web Browsers for iPhones, iPads, and Android Devices [Last Updated On: March 14th, 2012] [Originally Added On: March 14th, 2012]
- Amazon Cloud Powered by 'Almost 500,000 Servers' [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- NetSTAR Announces Secure Web Browsers For iPhones, iPads, And Android Devices [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Be Prepared For When the Cloud Really Fails [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Dr. Cloud explains dinCloud's hosted virtual server solution - Video [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- New estimate pegs Amazon's cloud at nearly half a million servers [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Amazon’s Web Services Uses 450K Servers [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Saving File On Internet - Cloud Computing - Video [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- DotNetNuke Tutorial - Great hosting tool - PowerDNN Control Suite - part 2/3 - Video #311 - Video [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Linux servers keep growing, Windows & Unix keep shrinking [Last Updated On: March 15th, 2012] [Originally Added On: March 15th, 2012]
- Cloud Desktop from Compute Blocks - Video [Last Updated On: March 16th, 2012] [Originally Added On: March 16th, 2012]
- Amazon EC2 cloud is made up of almost half-a-million Linux servers [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- HP trots out new line of “self-sufficient” servers [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- Cloud Web Hosting Reviews - Australian Cloud Hosting Providers - Video [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- Using Porticor to protect data in a snapshot scenario in AWS - Video [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- CDW - Charles Barkley - New Office - Video [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- Nearly a Half Million Servers May Power Amazon Cloud [Last Updated On: March 17th, 2012] [Originally Added On: March 17th, 2012]
- Morphlabs CEO Winston Damarillo talks about their mCloud Rack - Video [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]
- AMD reaches for the cloud with new server chips [Last Updated On: March 20th, 2012] [Originally Added On: March 20th, 2012]