Looking for:
Zoom security issues: What's gone wrong and what's been fixed | Tom's Guide.
Zoom | Privacy and Security - 2. Unsecure Desktop Apps
Zoom Products do not include products developed by Zoom that are covered zoom meeting program download a separate privacy policy listed here. Personal data is any information from or about an identified or identifiable person, including information that Zoom can associate with an individual person. Andd may collect, or process on behalf of our customers, the following categories of personal data when you use or interact with Zoom Products:. Zoom employees zoom app and privacy ad access meeting, webinar, or messaging content specifically, audio, video, files, and messages unless directed by an account owner, or as required for legal, safety, or security reasons, as discussed below.
Zoom uses personal data to conduct the following activities:. Zoom uses advanced tools to ap scan content such as virtual backgrounds, zoom app and privacy images, and files uploaded or exchanged through chat, for the purpose of detecting and preventing violations of our terms or policies and illegal or other harmful activity, and its employees may investigate such content where required for legal, safety, or security reasons.
Zoom provides personal data to third parties only with consent or in one of the following circumstances subject to your prior consent where required under applicable law :. When you send messages privavy join meetings and webinars on Zoom, other people and organizations, including third parties outside the meeting, webinar, or message, may be able to see content and information that you share:. Otherwise, at your request, and as required by applicable law, we will:.
In order to exercise any of your rights as to personal data controlled by Zoom, please click here. Where legally permitted, we may decline to process requests that are unreasonably repetitive or systematic, require zoom cloud meeting app download free - zoom cloud meeting app download free technical effort, ziom jeopardize the privacy of others.
As an account owner or a user under a aand account, you may also take steps to affect apo personal data by visiting your account and modifying your personal data directly. To exercise your rights, please click here. If you have any privacy-related questions or privady related to this Privacy Statement, please send an email to privacy zoom.
Zoom Video Zoom app and privacy, Inc. You can contact our Data Protection Officer by sending an email to privacy zoom.
We retain personal data for as long перейти на страницу required to engage in the uses described in this Privacy Statement, unless a longer retention period privzcy required by applicable law. If you are in народ! zoom centre download собой EEA, Switzerland, or the UK, your rights provacy zoom app and privacy to your personal wpp processed by us as a controller specifically include:.
If you have any other questions about our anr of your personal data, please send a request at the contact details specified in the How zoom app and privacy Contact Us section of this Privacy Statement.
Please note that we may request you to provide us with additional information in order to confirm your ap and ensure that you are entitled to access the relevant personal data. You also have the right to lodge a complaint to a data protection authority. For more information, please contact your local data protection authority. We only use your information in a lawful, transparent, and fair manner. Depending on the specific personal data concerned and the factual context, when Zoom processes personal data as a controller for individuals in regions such as the EEA, Switzerland, and the UK, we rely on the following zoom app and privacy bases as applicable in your jurisdiction:.
Zoom operates globally, which means personal data may be transferred, stored for example, in zpom data centerand processed outside of ;rivacy country or region where it spp initially collected where Zoom or its service providers have customers or facilities — including in countries ane meeting participants or account owners hosting meetings or webinars that you participate in a;p receiving ap that you send are based.
Therefore, by using Zoom Products or providing personal data for any of the purposes stated above, you acknowledge that your personal data may be transferred to or stored in the United States where we are established, as well as in other countries outside of the EEA, Switzerland, and the UK. Such countries may have data protection rules that are different and less protective than those of your country.
We protect your personal data in accordance with this Privacy Statement wherever it is processed and take appropriate pricacy or other steps to zoom app and privacy it under applicable laws.
Please contact us if you would like further information in that respect. Zoom will not discriminate against you for exercising any of these rights, which is further in line with your rights under the CCPA. To opt out of the use of cookies on our sites for interest-based advertising purposes, follow the instructions above.
We will acknowledge receipt of your request within 10 business days, and provide a substantive response within 45 calendar days, or inform you zoom app and privacy the reason and extension period up to 90 days in writing.
Under the CCPA, only you or an authorized agent may make a request related appp your personal data. Note that to respond to your requests to access or delete personal data under the CCPA, we must verify your identity. You zoom app and privacy designate an authorized agent to submit your verified consumer request by providing pprivacy permission and verifying your identity, or through proof of power of attorney. California Civil Code Section If we make material changes to this Privacy Statement, we will notify you and provide you an opportunity to review before you choose to continue using our Products.
Zoom Privacy Statement Last updated: December 15, We may collect, or process on behalf of our customers, the following categories of personal data when you use or interact with Zoom Products: Account Information pirvacy Information associated with an account that licenses Zoom Products, which may include administrator name, contact information, account ID, billing information, and account plan information. Profile and Participant Information: Information associated privacj the Zoom prigacy of a user who uses Zoom Products zoom app and privacy a licensed account or that is provided by an unlicensed participant joining a meeting, which may include name, display name, picture, email address, phone number, job information, stated locale, snd ID, or other information provided by the user or their account owner.
Contacts and Calendar Integrations : Contact information added by accounts or their users to create contact lists on Zoom Products, which may include contact information a user integrates from a third-party app. Users can also integrate their calendars from other services with zoom app and privacy Zoom profile or account.
Settings : Information associated with the preferences and settings on a Zoom account or user profile, which may include audio and video settings, recording file location, screen sharing settings, and other settings and configuration information.
Registration Information : Information people provide when registering for a Zoom meeting, webinar or recording, which may include name and contact information, responses to registration questions, and other registration information requested by the host. Device Information : Information about the computers, zoom app and privacy, and other devices people use when interacting with Zoom Products, which may include information about the speakers, microphone, camera, OS version, hard disk ID, PC name, MAC address, IP address which may be used to zoom app and privacy general location at a city or country level перейти на страницу, device attributes like operating system version and zooom levelWiFi zooom, and other device information like Bluetooth signals.
Communications with Zoom: Information about your communications with Zoom, including relating to support questions, your account, and other inquiries. Zoom may also obtain information from third-party advertising partners who deliver ads displayed on Zoom Products, such as whether you clicked on an ad they showed you.
Zoom uses personal data to conduct the following activities: Provide Zoom Products and Services: To apl Products, features, and services to account owners, their users, and those they invite to join meetings and webinars hosted on their accounts, including to customize Zoom Product features and recommendations for accounts or their users. Zoom also uses personal data, including contact information, to route invitations and messages to recipients when people send invitations and messages using Zoom Products.
This may also zoom app and privacy using personal data for customer support, which may include accessing audio, video, files, and messages, at the direction zoom app and privacy the account owner or their users. We also use personal data to zomo our relationship and contracts with account owners, including billing, compliance with contractual obligations, and related administration.
Product Research and Development: Abd develop, test, по ссылке improve Zoom Products, including, for example, content-related features such as background filtersand to troubleshoot products and features. We may also use cookies or similar technology, including from third-party advertising partners, to show you ads within Zoom Ссылка на подробности about products, services, or causes from third parties. Zoom does NOT use meeting, webinar, or messaging content specifically, audio, video, files, and messages for zom marketing, promotions or third-party advertising purposes.
Authentication, Integrity, Security, and Safety: To authenticate accounts and activity, detect, investigate, and prevent malicious conduct or unsafe experiences, address security threats, protect public safety, and secure Zoom Products. Communicate with You: We use personal data including contact information rpivacy communicate with you about Zoom Products, features, and services, including product updates, your account, and changes to our policies and terms.
We also use your information anf respond to you when you contact us. Legal Reasons: To comply with applicable law or respond to valid legal process, including from law enforcement or government agencies, to investigate or participate in civil discovery, litigation, or other adversarial legal proceedings, and to enforce or investigate potential violations of our Terms of Service or policies. Zoom provides personal data to third parties only with consent or in one of the following circumstances subject to your prior consent where required under applicable law : Resellers: If an zoom app and privacy owner licensed or purchased Zoom Products from a third-party reseller of Zoom Products, the reseller may be able to access personal data and content for users, including meetings, webinars, and messages hosted by the account owner.
Vendors: Zoom works with third-party service providers to provide, support, and improve Zoom Products and xoom infrastructure, and zoom app and privacy business services such as payment processing. Zoom may also work with third-party service providers to provide advertisements and business analytics regarding Zoom Products.
These vendors can zoom app and privacy personal data subject to contractual and privacg requirements for protecting personal data zoom app and privacy prohibiting them from using personal data for any purpose other than to provide services to Zoom or as required by law. Marketing, Advertising, and Analytics Partners: Zoom uses third-party marketing, advertising, and analytics providers: to provide statistics and analysis about how people are using Zom Products and zoom app and privacy website; to provide advertising and marketing for Zoom Products, including targeted advertising based on your use of our website; and to show you third-party advertising within Zoom Products.
To ane out of our use of third-party cookies that share data with these partners, visit our cookie management tool, available here. Where pirvacy by law, Zoom will first obtain your consent before engaging in the marketing or advertising activities described. Corporate Affiliates: Ap; shares personal information with corporate affiliates, such as Zoom Voice Communications, Pgivacy.
When you send messages or join meetings and webinars on Zoom, other people and organizations, including third parties outside the meeting, webinar, or message, may be able to see content and information that you share: Account Owner: An account owner is the organization or individual that signs up for zoom app and privacy Zoom account.
The account owner and their users can invite others including guests not on their account to meetings or webinars hosted on their account.
Zoom gives account owners controls and features that they can use to determine whether certain types of content, such as recordings or pirvacy messages, can be created or a;p, and what third-party apps can be used, for meetings and webinars hosted on their account. Depending on their settings, account owners and the people they designate can zom personal data for people who join meetings and webinars on their account or send messages to users on their account.
Specifically, account owners may have access to: Account Usage: Product Usage: Information about how people and their devices interact with their account, which may include who sent messages to their users смотрите подробнее chat, email addresses, IP addresses, device information, and other information about who joined meetings or webinars on their account, whether users viewed or downloaded a recording, how long people participated in their meetings, the time a message приведенная ссылка sent, prjvacy about Zoom Phone integrations, and other usage information and feedback metrics.
Apl List: Information about the participants in a Zoom meeting, webinar, or chat, which may include name, display name, email address, phone number, and participant or user ID. Registration Information: Information provided during spp for a webinar, meeting, or recording hosted by the account. Zoom Chat Out-of-Meeting Messages: If enabled on their account, account owners can see zoom app and privacy about who sent and received out-of-meeting messages to users on their account along with information about the message for pricing reddit, date and time, and number of participants.
Depending on their settings, account owners also can see sender and receiver information, and other messaging data, along with the content zkom messages sent to and from users on their account, unless the account owner has enabled Advanced Chat Encryption.
They can also view a transcript of meeting audio, if enabled. Meeting Hosts and Participants : Hosts and other participants in a meeting may be able a;p see your email, display zoom app and privacy, and profile picture. Webinar Panelists and Attendees: Only panelists may be visible to attendees during a webinar, but attendees who agree to unmute can be heard by other attendees.
If an attendee agrees to become a panelist during a spp, they may be visible to other zoom app and privacy, depending on settings. Livestreams: Meeting and zoom app and privacy hosts can choose to livestream to a third-party site or service, which means anyone with access to the livestream will be able to see the meeting or webinar. Third-Party Apps and Integrations: Account owners can choose to add third-party apps to their account and the Zoom Products they use, including via use of the Zoom App Marketplace, and ans can also control whether their users can add and use specific third-party apps, including in meetings, webinars, zopm chats hosted on their account.
Depending on their settings, account owners and their users and guests can share your personal data and content на этой странице third-party apps and integrations they approve, which may include all of the personal data available to account owners, hosts, and pap listed above, such as account information, profile and contact information, registration information, participants list, settings, content, product usage, and device information.
Zoom app and privacy participants in the meeting may be able to see the third-party app that you are using in a meeting, if the third-party app is receiving real-time features and zoon from the meeting.
Zoom app and privacy developers may also integrate or embed Zoom meetings into their website or app experiences or build versions of Zoom that enable access to Zoom Products from a third-party app. Children Zoom does zoom app and privacy allow children under the age of 16 to sign up for a Zoom account. How to Contact Us To exercise your rights, please click here. You can also contact us by writing to the following address: Zoom Video Communications, Inc.
Retention We retain personal data for as long as required to engage in zoom app and privacy uses described in this Zoo, Statement, unless a longer retention period is required by applicable law. The criteria used to determine our retention periods include the following: The length of time we have an ongoing relationship with you and provide Zoom Products to you for example, for as long as you have an account with us or keep using our Products ; Whether account owners modify or their users delete information through their accounts; Whether we have a legal obligation to keep the data for example, certain laws require us to keep records privaxy your wnd for a certain period of time before zoom app and privacy can delete them ; or Whether retention is advisable in light of our legal position such as in regard to the enforcement of our agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation.
Legal Basis for Processing Personal Data We only use your information in a lawful, transparent, and fair manner. Depending on the specific personal data concerned zoom app and privacy the factual context, when Zoom processes personal data as a controller for individuals in regions such as the EEA, Switzerland, and the UK, we rely on the following legal bases as applicable in your jurisdiction: Zoom app and privacy necessary for our contract: When we enter into a contract directly with you, we process your personal data on the basis of our contract in order to prepare and enter into the contract, as well as zoom app and privacy perform and manage our contract i.
If we do not process your zoom app and privacy data for these purposes, we may not be able to provide you with all Products, features, and services; Consistent with specific revocable consents: We rely on your prior consent in order to utilize zoom app and privacy to engage zoom app and privacy and analytics partners to продолжение здесь tailored advertising and analysis of our website usage. You have the right zoom app and privacy withdraw your consent at any time by visiting our cookie management tool, available here ; As necessary to comply with our legal obligations: We process your personal data to comply with the legal obligations to which we are subject for the purposes of compliance with EEA laws, regulations, codes of practice, guidelines, or rules applicable to us, and for responses to requests from, and other communications with, competent EEA public, governmental, judicial, or other regulatory privxcy.
International Data Transfers Zoom operates globally, which means personal data may be transferred, stored for example, in a data centerand processed outside of the country or region where it was initially collected where Zoom or its service providers have customers or facilities — including in countries where meeting participants or account owners hosting meetings or webinars that you participate in or receiving messages that you send are based.
We do not sell your personal data in the conventional sense. However, like many companies, we use advertising services that try to tailor online privcy to your interests based on information collected via cookies and similar technologies about your online activity. This is called interest-based advertising. You can get more rpivacy and opt out of the use of cookies on our sites for interest-based advertising purposes by clicking the Do Not Sell My Pap Information link, also on our homepage, and setting your preferences.
You will need to set your preferences from each device and zoom app and privacy web browser from which you ap to opt out.
Zoom app and privacy
To opt out of advertising cookies, click on the "more info" option when you sign in to your Zoom account and are prompted to accept Zoom's cookies. You can opt out of Advertising cookies by unselecting that option. Despite these protections, users should use common sense and avoid sharing more information when necessary when using Zoom, especially when discussing confidential matters.
Additionally, as a user of Zoom, if you give Zoom access to any files or programs you need to manage cookies through your browser settings in the way you do with other applications. Skip to main content.
Privacy Considerations When Using Zoom. This guidance applies to administrative meetings; guidelines for use of Zoom for instruction can be viewed here A. This document provides basic guidance on how to protect your privacy and the privacy of others when using Zoom Click on the hyperlinks throughout this document for quick access to important use instructions.
Managers should avoid requiring staff to use Zoom meeting settings that leave staff living areas visible. Select only appropriate virtual backgrounds. Be mindful of others in your remote location who may not wish to be visible or recorded in the background. Also consider if all participants need to be visible as limiting the meeting to a single video stream can ease bandwidth concerns for participants.
Ensure sensitive conversations cannot be overheard or work observed by unauthorized persons. Before screen sharing, close all applications, emails and documents that you will not use in that session. Managing Whose Screen is Visible : Zoom default settings for the campus are set to limit screen sharing to the host.
The host can also allow screen sharing by participants. Options are available by clicking on the up arrow by the Share Screen icon. The host should remind participants not to share other sensitive information during the meeting inadvertently. You can generate a new access code for each meeting. Dropbox staffers used Zoom regularly, and Dropbox was an investor in Zoom. The Times reported that Dropbox would confirm the flaws, then pass them along to Zoom so that Zoom could fix them.
Zoom-meeting video recordings saved on Zoom's cloud servers can be easily discovered and often viewed, a security researcher told Cnet opens in new tab. Phil Guimond opens in new tab noticed that online recordings of Zoom meetings have a predictable URL structure and are thus easy to find.
The Washington Post reported last week on a similar issue with Zoom recordings that had been uploaded by users to third-party cloud servers. In those cases, the file names of meeting recordings followed a predictable pattern. Until Zoom pushed out a series of updates opens in new tab this past Tuesday, Zoom meeting recordings were not required to be password-protected.
Guimond built a simple tool that automatically searches for Zoom meeting recordings and tries to open them. If a meeting has a password, his tool tries to brute-force access by running through millions of possible passwords.
If a meeting recording is viewable, so is the Zoom meeting ID, and the attacker might be able to access future recurring meetings. But, Guimond said, the URL pattern is still the same, and attackers could still try to open each generated result manually. Zoom announced it was hiring Luta Security opens in new tab , a consulting firm headed by Katie Moussouris, to revamp Zoom's "bug bounty" program, which pays hackers to find software flaws.
Moussouris set up the first bug-bounty programs at Microsoft and the Pentagon. In her own blog post opens in new tab , she announced that Zoom was bringing in other well-regarded information-security firms and researchers to improve its security. In its weekly webinar, according to ZDNet opens in new tab , Zoom also said it would also let meeting hosts report abusive users, and newly hired security consultant Alex Stamos said Zoom would be switching to a more robust encryption standard after Zoom's existing encryption was found to be lacking.
In other news, a congressman has complained that a congressional briefing held over Zoom on April 3 was "zoom-bombed" opens in new tab at least three times. The head of Standard Chartered, a London-based multinational bank, has warned employees to not use Zoom or Google Hangouts for remote meetings, citing security concerns, according to Reuters opens in new tab. Standard Chartered primarily uses the rival Blue Jeans video-conferencing platform, according to two bank staffers who spoke anonymously.
Hackers are apparently offering to sell two "zero-day" exploits in Zoom to the highest bidder, Vice opens in new tab reports. Zero-days are hacks that take advantage of vulnerabilities the software maker doesn't know about, and which users have little or no defense against.
Sources who told Vice about the zero-days said one exploit is for Windows and lets a remote attacker get full control of a target's computer. The catch is that the attacker and the target have to be on the same Zoom call.
This is a reaction to the discovery earlier in April that many Zoom meetings hosted by and involving U. Usernames and passwords for more than , Zoom accounts are being sold or given away in criminal marketplaces.
These accounts were not compromised as the result of a Zoom data breach, but instead through credential stuffing. That's when criminals try to unlock accounts by re-using credentials from accounts compromised in previous data breaches. It works only if an account holder uses the same password for more than one account.
Researchers from IngSights discovered a set of 2, Zoom login credentials being shared in a criminal online forum. Maor told Threatpost opens in new tab it didn't seem like the credentials came from a Zoom data breach, given their relatively small number.
It's also possible that some of the credentials were the result of "credential stuffing. Information-security researchers know of several Zoom "zero-day" exploits opens in new tab , according to Vice. Zero-days are exploits for software vulnerabilities that the software maker doesn't know about and hasn't fixed, and hence has "zero days" to prepare before the exploits appear. However, one Vice source implied that other video-conferencing solutions also had security flaws.
Another source said that Zoom zero-days weren't selling for much money due to lack of demand. Criminals are trading compromised Zoom accounts on the "dark web," Yahoo News opens in new tab reported. This information apparently came from Israeli cybersecurity firm Sixgill, which specializes in monitoring underground online-criminal activity. We weren't able to find any mention of the findings on the Sixgill website opens in new tab.
Sixgill told Yahoo it had spotted compromised Zoom accounts that included meeting IDs, email addresses, passwords and host keys. Some of the accounts belonged to schools, and one each to a small business and a large healthcare provider, but most were personal. If you have a Zoom account, make sure its password isn't the same as the password for any other account you have.
Researchers at Trend Micro opens in new tab discovered a version of the Zoom installer that has been bundled with cryptocurrency-mining malware , i. The Zoom installer will put Zoom version 4. By the way, the latest Zoom client software for Windows is up to version 4. The coin-miner will ramp up your PC's central processor unit, and its graphics card if there is one, to solve mathematical problems in order to generate new units of cryptocurrency.
To avoid getting hit with this malware, make sure you're running one of the best antivirus programs, and don't click on any links in emails, social media posts or pop-up messages that promise to install Zoom on your machine.
It can't stop other people from copying and redistributing its installation software. Not only does Zoom mislead users about its "end-to-end encryption" see further down , but its seems to be flat-out, um, not telling the truth about the quality of its encryption algorithm.
Zoom says it use AES encryption to encode video and audio data traveling between Zoom servers and Zoom clients i. But researchers at the Citizen Lab opens in new tab at the University of Toronto, in a report posted April 3, found that Zoom actually uses the somewhat weaker AES algorithm. Even worse, Zoom uses an in-house implementation of encryption algorithm that preserves patterns from the original file. It's as if someone drew a red circle on a gray wall, and then a censor painted over the red circle with a while circle.
You're not seeing the original message, but the shape is still there. Yuan opens in new tab acknowledged the encryption issue but said only that "we recognize that we can do better with our encryption design" and "we expect to have more to share on this front in the coming days.
In Zoom's announcement of the upcoming April 26 desktop-software update, Zoom said it would be upgrading the encryption implementation opens in new tab to a better format for all users by May Good software has built-in anti-tampering mechanisms to make sure that applications don't run code that's been altered by a third party. Zoom has such anti-tampering mechanisms in place, which is good.
But those anti-tampering mechanisms themselves are not protected from tampering, said a British computer student who calls himself " Lloyd opens in new tab " in a blog post April 3.
Needless to say, that's bad. Lloyd showed how Zoom's anti-tampering mechanism can easily be disabled, or even replaced with a malicious version that hijacks the application. If you're reading this with a working knowledge of how Windows software works, this is a pretty damning passage: "This DLL can be trivially unloaded, rendering the anti-tampering mechanism null and void.
The DLL is not pinned, meaning an attacker from a 3rd party process could simply inject a remote thread. In other words, malware already present on a computer could use Zoom's own anti-tampering mechanism to tamper with Zoom. Criminals could also create fully working versions of Zoom that have been altered to perform malicious acts. Anyone can "bomb" a public Zoom meeting if they know the meeting number, and then use the file-share photo to post shocking images, or make annoying sounds in the audio.
The FBI even warned about it opens in new tab a few days ago. The host of the Zoom meeting can mute or even kick out troublemakers, but they can come right back with new user IDs. The best way to avoid Zoom bombing is to not share Zoom meeting numbers with anyone but the intended participants. You can also require participants to use a password to log into the meeting. On April 3, the U. Attorney's Office for the Eastern District of Michigan said that "anyone who hacks into a teleconference can be charged with state or federal crimes.
Zoom automatically puts everyone sharing the same email domain into a "company" folder where they can see each other's information. Exceptions are made for people using large webmail clients such as Gmail, Yahoo, Hotmail or Outlook. Several Dutch Zoom users who use ISP-provided email addresses suddenly found that they were in the same "company" with dozens of strangers -- and could see their email addresses, user names and user photos.
STATUS: Unresolved, but an April 19 Zoom software update opens in new tab for Zoom web-interface users makes sure users on the same email domain can no longer automatically search for each other by name. The Zoom desktop client software will get similar fixes April Several privacy experts, some working for Consumer Reports, pored over Zoom's privacy policy and found that it apparently gave Zoom the right to use Zoom users' personal data and to share it with third-party marketers.
Following a Consumer Reports opens in new tab blog post, Zoom quickly rewrote its privacy policy, stripping out the most disturbing passages and asserting that "we do not sell your personal data.
We don't know the details of Zoom's business dealings with third-party advertisers. You can find open Zoom meetings opens in new tab by rapidly cycling through possible Zoom meeting IDs, a security researcher told independent security blogger Brian Krebs. The researcher got past Zoom's meeting-scan blocker by running queries through Tor, which randomized his IP address. It's a variation on "war driving" by randomly dialing telephone numbers to find open modems in the dial-up days.
The researcher told Krebs that he could find about open Zoom meetings every hour with the tool, and that "having a password enabled on the [Zoom] meeting is the only thing that defeats it. Two Twitter opens in new tab users opens in new tab pointed out that if you're in a Zoom meeting and use a private window in the meeting's chat app to communicate privately with another person in the meeting, that conversation will be visible in the end-of-meeting transcript the host receives.
A Kurdish security researcher opens in new tab said Zoom paid him a bug bounty -- a reward for finding a serious flaw -- for finding how to hijack a Zoom account if the account holder's email address was known or guessed.
The researcher, who calls himself "s3c" but whose real name may be Yusuf Abdulla, said if he tried to log into Zoom with a Facebook account, Zoom would ask for the email address associated with that Facebook account.
Then Zoom would open a new webpage notifying him that a confirmation email message had been sent to that email address. The URL of the notification webpage would have a unique identification tag in the address bar.
As an example that's much shorter than the real thing, let's say it's "zoom. When s3c received and opened the confirmation email message sent by Zoom, he clicked on the confirmation button in the body of the message. This took him to yet another webpage that confirmed his email address was now associated with a new account. So far, so good. But then s3c noticed that the unique identification tag in the Zoom confirmation webpage's URL was identical to the first ID tag.
Let's use the example "zoom. The matching ID tags, one used before confirmation and the other after confirmation, meant that s3c could have avoided receiving the confirmation email, and clicking on the confirmation button, altogether.
In fact, he could have entered ANY email address -- yours, mine or billgates gmail. Then he could have copied the ID tag from the resulting Zoom notification page and pasted the ID tag into an already existing Zoom account-confirmation page.
And because Zoom lets anyone using a company email address view all other users signed up with the same email domain, e. Zoom is fortunate that s3c is one of the good guys and didn't disclose this flaw publicly before Zoom could fix it. But it's such a simple flaw that it's hard to imagine no one else noticed it before.
Zoom has released updates for its Windows , macOS and Linux desktop client software so that meeting IDs will not display onscreen during meetings. Yuan opens in new tab said that Zoom had discovered "a potential security vulnerability with file sharing, so we disabled that feature. Until this week, participants in a Zoom meeting could share files with each other using the meeting's chat function.
Those AES encryption keys are issued to Zoom clients by Zoom servers, which is all well and good, except that the Citizen Lab opens in new tab found several Zoom servers in China issuing keys to Zoom users even when all participants in a meeting were in North America.
Since Zoom servers can decrypt Zoom meetings, and Chinese authorities can compel operators of Chinese servers to hand over data, the implication is that the Chinese government might be able to see your Zoom meetings. That's got to be bad news for the British government, which has held at least one Cabinet meeting over Zoom. Yuan opens in new tab responded to the Citizen Lab report by saying that "it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect.
We have since corrected this. Zoom advises meeting hosts to set up "waiting rooms" to avoid "Zoom bombing. The Citizen Lab said it found a serious security issue with Zoom waiting rooms opens in new tab , and advised hosts and participants to not use them for now. The Citizen Lab is not disclosing the details yet, but has told Zoom of the flaw. In a follow-up to their initial report opens in new tab. Zoom meetings have side chats in which participants can sent text-based messages and post web links.
That left Zoom chats vulnerable to attack. If a malicious Zoom bomber slipped a UNC path to a remote server that he controlled into a Zoom meeting chat, an unwitting participant could click on it.
The participant's Windows computer would then try to reach out to the hacker's remote server specified in the path and automatically try to log into it using the user's Windows username and password. The hacker could capture the password "hash" and decrypt it, giving him access to the Zoom user's Windows account. Mohamed A. Baset opens in new tab of security firm Seekurity said on Twitter that the same filepath flaw also would let a hacker insert a UNC path to a remote executable file into a Zoom meeting chatroom.
If a Zoom user running Windows clicked on it, a video posted by Baset showed, the user's computer would try to load and run the software. The victim would be prompted to authorize the software to run, which will stop some hacking attempts but not all. After Vice News exposed the practice, Zoom said it hadn't been aware of the profile-sharing and updated the iOS apps to fix this.
We learned last summer that Zoom used hacker-like methods to bypass normal macOS security precautions.
We thought that problem had been fixed then, along with the security flaw it created. But a series of tweets March 30 from security researcher Felix Seele, who noticed that Zoom installed itself on his Mac without the usual user authorizations, revealed that there was still an issue.
The same tricks that are being used by macOS malware. Yuan opens in new tab tweeted a friendly response. That was a swift and comprehensive reaction.
Zoom just released an update for the macOS installer which completely removes the questionable "preinstall"-technique and the faked password prompt. I must say that I am impressed. Other people could use Zoom's dodgy Mac installation methods, renowned Mac hacker Patrick Wardle opens in new tab said in a blog post March Wardle demonstrated how a local attacker -- such as a malicious human or already-installed malware -- could use Zoom's formerly magical powers of unauthorized installation to "escalate privileges" and gain total control over the machine without knowing the administrator password.
Wardle also showed that a malicious script installed into the Zoom Mac client could give any piece of malware Zoom's webcam and microphone privileges, which do not prompt the user for authorization and could turn any Mac with Zoom installed into a potential spying device.
Yuan opens in new tab acknowledged Zoom's growing pains and pledged that regular development of the Zoom platform would be put on hold while the company worked to fix security and privacy issues. Dedicated journalists and security researchers have also helped to identify pre-existing ones.
To deal with these issues, Yuan wrote, Zoom would be "enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues. Among other things, Zoom would also be "conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
Zoom now requires passwords by default for most Zoom meetings, although meetings hosts can turn that feature off. Passwords are the easiest way to stop Zoom bombing. And on April 8, former Facebook and Yahoo chief security officer Alex Stamos opens in new tab said he would be working with Zoom to improve its security and privacy. Stamos is now an adjunct professor at Stanford and is highly regarded within the information-security community. Zoom claims its meetings use "end-to-end encryption" if every participant calls in from a computer or a Zoom mobile app instead of over the phone.
But under pressure from The Intercept opens in new tab , a Zoom representative admitted that Zoom's definitions of "end-to-end" and "endpoint" are not the same as everyone else's. Every other company considers an endpoint to be a user device -- a desktop, laptop, smartphone or tablet -- but not a server. And every other company takes "end-to-end encryption" to mean that servers that relay messages from one endpoint to another can't decrypt the messages.
When you send an Apple Message from your iPhone to another iPhone user, Apple's servers help the message get from one place to another, but they can't read the content. Not so with Zoom. A little more than a week later, cybersecurity firm Armorblox outlined an account takeover attack that leveraged malicious phishing and social engineering.
Instead, its wide-ranging use by enterprises convinced threat actors to use emails with spoofed addresses to entice victims to unknowingly download a malicious payload. But Zoom calls are usually scheduled in advance and users join through an email invitation. Her own investigation found two vulnerabilities, including a buffer overflow that impacted both clients and MMR servers.
Another was an information leak that can be used by attackers on MMR servers. Hackers attacking the flaw could target Zoom accounts through connections with Zoom Contacts. The servers also lacked address space layout randomization ASLR , which would make it easier for a threat actor to exploit memory corruption vulnerabilities. Zoom recently enabled it, she wrote. The attackers tried to spoof the email address and replicate the subject line of a legitimate email from Zoom.
The email was able to bypass Microsoft email security controls, she wrote. About 10, emails were sent to an online mortgage brokerage company in North America, according to Armorblox. That ubiquitous nature and the broad reach within enterprise should not be overlooked as part of the attack surface, according to cybersecurity professionals.
No comments:
Post a Comment