Zoom Exposed Security Vulnerabilities as Coronavirus Makes It Popular

Since March, the global COVID-19 epidemic has been getting worse. Not only more and more big companies have sent their employees home to work remotely but also many schools have started online classes for its students during the lockdown. So, video conference apps like Zoom have surged in popularity. Although Zoom was designed for businesses and organizations to work over the Internet, many teachers turned to it for teaching online lessons.  Zoom’s daily active users jumped to 200 million from 10 million in December 2019.

This would have been Zoom’s perfect opportunity to expand its user base. However, it is a double-edged sword. Zoom faces a multi-party backlash as the security flaw was exposed one after another. It is impossible for Zoom to keep gaining popularity during the epidemic.

In reaction to a number of incidents of unidentified people hacking into the school’s online courses, the FBI‘s Boston office issued a warning about Zoom. It also warned users not to hold public meetings on Zoom or share Zoom meeting IDs on the Internet. In an email to its employees, SpaceX asked them to stop using Zoom immediately. Meanwhile, NASA also banned the use of Zoom among its staff, according to the spokeswoman Stephanie Schierholz. 

1. Zoom bombing

Because of Zoom’s default settings, someone can participate in and maliciously disrupt a video conference without being invited. Many Zoom meetings were forced to stop by malicious people. This is also called “Zoom bombing”.

2. Share user data with Facebook

On March 26, Motherboard reported that when a user installs and opens the Zoom app on iOS, the Facebook SDK embedded in the app sends user information to Facebook information, including users’ phone models, time zones, cities, ISPs and advertising IDs. The iOS version of  Zoom shares user data with Facebook, even if the user doesn’t have a Facebook account, without advance notice in the privacy policy. 

3. Leak users’ Windows credentials

On March 31, Motherboard revealed another security flaw that is found in Zoom’s settings.

The Windows Zoom client is vulnerable to UNC path injection attacks. Zoom’s “Company Directory” displays the names, photos and email addresses of colleagues using the same email domain, which makes it easier for you to find your colleagues. However, users who register with their personal emails may also be grouped with strangers using the same email domain. This can be exploited by attackers to steal the Windows login credentials of users.

The researchers say the vulnerability could give local, non-privileged attackers fundamental access and allow them to access the victim’s microphone and camera. In addition to stealing Windows login credentials, the researchers revealed that by clicking on a link, UNC injection can also be used to launch programs such as CMD command prompts on the local computer.

4. Video meetings aren’t actually end-to-end encrypted

Zoom claims to end-to-end encrypt its videos, which is widely regarded as the most private form of Internet communication. End-to-end encryption effectively protects users’ communications from third parties, including Zoom itself. 

According to The Intercept, however, Zoom actually only uses end-to-end encryption for the text content and part of audio content. While Zoom video meetings don’t support end-to-end encryption.

5. Route calls of some non-china user through China

Zoom was later revealed to occasionally direct data containing encryption keys through servers in China, even if the user is in North America. 

6. More security concerns

Some users also found that Zoom meeting managers had access to a great deal of regulatory information, including whether the participants’ Zoom window was active, whether other pages were opened in a short time, their IP addresses, device details, location, and so on. This has raised more concerns among Zoom users.

Zoom’s response to the security issues

Faced with security vulnerabilities and privacy backlashes, Zoom CEO Yuan Zheng (Eric Yuan) made a public apology on April 1. Zoom was committed to halt all new feature development for the next 90 days and to use all of its engineering resources to solve existing problems.

It has also taken action as quickly as possible to solve problems already found by users and researchers.

“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.” 

How to avoid falling victims to Zoom’s security vulnerabilities?

Since Zoom has been exposed so many security vulnerabilities, many people may choose to leave Zoom and find the best alternatives to Zoom. But there are still many people keep on using Zoom. To use Zoom safely while keeping social distancing, adopt the following security tips from security researchers:   

• Pay attention to emails and files from unknown sources. Don’t download suspicious attachments or click on malicious links in emails. Beware of similar domain names, misspelled emails and websites, and unfamiliar email senders. 
• Do not log in to Zoom with a social account. Although it saves your time, it is not secure and gives Zoom access to more of your personal data. Besides, you should also set a strong password for your Zoom account and enable two-factor authentication.
• Start password-protected meetings and don’t share meeting IDs on social media networks.

• Use another device to check email or chat with other participants while attending video meetings on Zoom.
• Last but not least, raise your awareness of security and make use of a VPN. It is very essential and the most fundamental security tip.