Under the outbreak, telecommuting has become a new need, cloud video conferencing “use” is also more and more. According to a report by App Store intelligence firm Sensor Tower, Zoom’s downloads topped the global charts in February and March, while those in the US, the UK and the rest of Europe continued to remain high.
In a record week of downloads, Zoom downloaded 14 times the average weekly download in the United States in the fourth quarter of 2019. The UK also had more than 20 times the average weekly downloads in the fourth quarter, France 22 times, Germany 17 times, Spain 27 times and Italy 55 times more, well-deservedly becoming software for foreign offices.
However, Zoom has recently been exposed as a security breach, and even the FBI has warned it, NASA and SpaceX have asked employees to disable it, so what did Zoom, as a video conferencing “black horse”, do wrong?
More than one security breach
On March 26, Motherboard noted that when the zoom app is downloaded or opened on the iOS system, the Facebook SDK (Software Development Kit) embedded in the app sends information to Facebook about the user’s phone model, time zone, city, carrier, and ad unique identifier. The iOS version of Zoom, on the other hand, does not pre-state that user data is shared with Facebook, even if the user does not have a Facebook account.
Zoom later acknowledged the vulnerability. They said they would remove Facebook’s SDK and reconfigure the feature in the near term.
Coincidentally, on March 31, another feature setting vulnerability in Zoom was discovered by the same author of Motherboard.
The Windows version of the Zoom client reportedly exposed a security vulnerability that could be exploited by NUC path injection. Zoom’s Company Directory shows the names, avatars, and mailboxes of colleagues who use the same mailbox domain name, which is automatically determined by the system, eliminating the hassle of adding colleagues one by one. But it also poses a potential risk: if a user registers with a private mailbox, they may see a stranger who also uses the mailbox domain name, and an attacker can exploit a vulnerability in the chat module to steal the Windows login credentials of the user who clicked the link.
The researchers say the vulnerability could give local, non-privileged attackers fundamental authority and allow them access to the victim’s microphone and camera.
In addition to stealing Windows login credentials, the researchers also revealed that UNC injection is also useful for starting programs on local computers, such as CMD command prompts, by clicking on links.
Fortunately, however, this vulnerability affects only Windows clients in Zoom. On Apple’s mac OS, the Zoom client does not allow the link to take effect.
Notably, the FBI’s Boston office issued a warning about Zoom on Monday local time, warning users not to hold public meetings or share links widely on Zoom, and to talk about several previous incidents in which unidentified people have hacked into school online classes.
In an email to employees on March 28, SpaceX asked employees to stop using Zoom immediately. “We know that many of us are using this tool for meetings,” the letter said. But use email, text messages, or phone calls as an alternative to communication. “
Meanwhile, NASA spokeswoman Stephanie Hillholz said NASA has banned employees from using Zoom.
Therefore, it is inevitable that some people will ask the “black horse” of the video conferencing world what is wrong?
Why has Zoom been exposed to security and privacy issues?
Zoom states in its website and security white paper that it supports end-to-end encryption of meetings. But a new study by security officials suggests that this is not the case.
In fact, Zoom does use TLS encryption, which is widely used in HTTPS hypertext transmission, which means that the transfer between the Zoom server and the user’s individual is encrypted, but “end-to-end encryption” usually refers to completely protecting the content between users, and the company does not have access rights, similar to Signal or Whats App. Zoom does not provide this level of encryption, which makes the use of “end-to-end” highly misleading.
That is, although the connection between the user and the Zoom server is encrypted, it does not prevent the Zoom itself from seeing the call process. However, In terms of privacy protection, Zoom has limited access to limited information such as the user’s limited operating system version, IP address, hardware devices, and does not allow employees access to user meeting content and the sale of user data, Zoom said.
It’s a bit of a contradiction.
In addition, there is a default setting on Zoom that allows any meeting participant to share their screen without the permission of the meeting host. Anyone with a link to a public meeting can join in. Security sources also reported that links to Zoom public meetings were traded in Facebook groups and Discord chats, which were easily found on Twitter and public pages.
This undoubtedly provides a more convenient channel for hackers to break into the game.
Netizens also said, is the domestic nail, Tencent meeting is not not not fragrant?
How do I keep users safe?
So how do they keep them safe for those who continue to use Zoom to work? In this regard, security researchers also give some advice:
Be careful about e-mail messages and files from unknown senders.
Do not open unknown attachments or click a link in an email. Beware of similar domain names, misspelled emails and websites, and unfamiliar e-mail senders.
Don’t sign in to Zoom with a social account: this saves time, but it’s insecure, and can greatly increase the amount of personal privacy data that Zoom can access.
Use two devices during a Zoom call: If you’re participating in a Zoom call on your computer, check your phone for email or chat with other call participants.
Keep The Zoom application up to date: Zoom removed the remote web server from its latest version of the application. If you recently downloaded Zoom, you don’t need to worry about this particular vulnerability.