Two more macOS Zoom flaws surface, as lawsuit & government probe loom
As New York launches a probe and a class action lawsuit is levied against video conferencing app Zoom, a security researcher has discovered two vulnerabilities in its macOS client.
Security researchers and governments are raising new concerns about Zoom's privacy and security.
Zoom has become wildly popular in the midst of the COVID-19 pandemic, despite its questionable security and privacy reputation. And now, when more and more users are turning to the app for work meetings or chats with friends, hackers and governments are raising new concerns about the platform.
The first flaw relies on the "shady" way that Zoom installs itself on a Mac, which we've previously covered. By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer -- the highest level of privilege.
The second flaw, which is arguably more concerning, allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
While local exploits like these typically require physical access to a computer, they're usually much more common and difficult to prevent should the rest of the criteria that are needed are fulfilled.
This isn't Zoom's first security blunder, either. In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.
While Zoom has since removed that "feature," New York has opened an investigation into the app and a class-action lawsuit has been lodged in California.
The class action, filed in the U.S. District Court for the Northern District of California, alleges that Zoom gave personal user information to third parties without being explicitly clear about the data-sharing practices, CBS News reported. New York Attorney General Letitia James has also launched a probe into Zoom's privacy policies.
In a separate development, Zoom may also be inadvertently leaking user email addresses and photos to complete strangers, according to Motherboard.
This appears to be happening, because Zoom treats all email addresses with "non-standard providers" (Gmail, Yahoo or Hotmail) as single companies. Users with those non-standard addresses are able to see the full names, profile pictures and statuses of other users with the same email provider. They're also able to start video chats with those users.
On Tuesday, The Intercept also alleged that Zoom was misleading customers by claiming that video calls were end-to-end encrypted. They aren't. Instead, Zoom is using transport encryption, which encrypts the connection but doesn't hide calls from Zoom itself.
Security researchers and governments are raising new concerns about Zoom's privacy and security.
Zoom has become wildly popular in the midst of the COVID-19 pandemic, despite its questionable security and privacy reputation. And now, when more and more users are turning to the app for work meetings or chats with friends, hackers and governments are raising new concerns about the platform.
Security vulnerabilities
Patrick Wardle, a macOS security researcher and former hacker for the National Security Agency, has uncovered two new local security vulnerabilities in the latest version of the Mac Zoom client.The first flaw relies on the "shady" way that Zoom installs itself on a Mac, which we've previously covered. By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer -- the highest level of privilege.
The second flaw, which is arguably more concerning, allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
While local exploits like these typically require physical access to a computer, they're usually much more common and difficult to prevent should the rest of the criteria that are needed are fulfilled.
This isn't Zoom's first security blunder, either. In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.
Privacy concerns
Along with the security flaws, Zoom has also recently caught flack for its privacy practices. Earlier in March, Motherboard found that the Zoom for iOS app was sending off user data to Facebook, even if users didn't have a Facebook account.While Zoom has since removed that "feature," New York has opened an investigation into the app and a class-action lawsuit has been lodged in California.
The class action, filed in the U.S. District Court for the Northern District of California, alleges that Zoom gave personal user information to third parties without being explicitly clear about the data-sharing practices, CBS News reported. New York Attorney General Letitia James has also launched a probe into Zoom's privacy policies.
In a separate development, Zoom may also be inadvertently leaking user email addresses and photos to complete strangers, according to Motherboard.
This appears to be happening, because Zoom treats all email addresses with "non-standard providers" (Gmail, Yahoo or Hotmail) as single companies. Users with those non-standard addresses are able to see the full names, profile pictures and statuses of other users with the same email provider. They're also able to start video chats with those users.
On Tuesday, The Intercept also alleged that Zoom was misleading customers by claiming that video calls were end-to-end encrypted. They aren't. Instead, Zoom is using transport encryption, which encrypts the connection but doesn't hide calls from Zoom itself.
Comments
Electrical tape to the rescue!
COVID catapulted Zoom to the forefront and I suspect they were somewhat unprepared for this scrutiny. Hopefully they can get their security in order.
Most people must be getting the app from their website...
The problem is that thing you call a flaw, is actually called a 'feature' by developers. It allows preflight checks before you run the main installation (making sure you have the right version of Python on the machine for example), but it does require an element of trust because there's nothing stopping you from running anything you want as part of the preflight, which is what you Zoom appear to be doing.
Apple will eventually tighten this up, and a lot of developers will complain when they do it.
Frankly, their developer certificate should be revoked by Apple to protect users. They are deliberately circumventing security processes on the Mac and exposing users to vulnerabilities. Additionally they are lying about their security features. Apple would be completely justified at this point simply revoking their certificates and breaking their installer and application. There are plenty of alternative conferencing applications out there that people can switch to quite rapidly.
Too late. They've already demonstrated, on a number of occasions, that they can't be trusted.
These aren't coding mistakes they're making; they're carrying out deliberate actions (and coding mistakes!) that is making your machine and data vulnerable.