Two more macOS Zoom flaws surface, as lawsuit & government probe loom

Posted:
in General Discussion
As New York launches a probe and a class action lawsuit is levied against video conferencing app Zoom, a security researcher has discovered two vulnerabilities in its macOS client.

Security researchers and governments are raising new concerns about Zoom's privacy and security.
Security researchers and governments are raising new concerns about Zoom's privacy and security.


Zoom has become wildly popular in the midst of the COVID-19 pandemic, despite its questionable security and privacy reputation. And now, when more and more users are turning to the app for work meetings or chats with friends, hackers and governments are raising new concerns about the platform.

Security vulnerabilities

Patrick Wardle, a macOS security researcher and former hacker for the National Security Agency, has uncovered two new local security vulnerabilities in the latest version of the Mac Zoom client.

The first flaw relies on the "shady" way that Zoom installs itself on a Mac, which we've previously covered. By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer -- the highest level of privilege.

The second flaw, which is arguably more concerning, allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.

While local exploits like these typically require physical access to a computer, they're usually much more common and difficult to prevent should the rest of the criteria that are needed are fulfilled.

This isn't Zoom's first security blunder, either. In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.

Privacy concerns

Along with the security flaws, Zoom has also recently caught flack for its privacy practices. Earlier in March, Motherboard found that the Zoom for iOS app was sending off user data to Facebook, even if users didn't have a Facebook account.

While Zoom has since removed that "feature," New York has opened an investigation into the app and a class-action lawsuit has been lodged in California.

The class action, filed in the U.S. District Court for the Northern District of California, alleges that Zoom gave personal user information to third parties without being explicitly clear about the data-sharing practices, CBS News reported. New York Attorney General Letitia James has also launched a probe into Zoom's privacy policies.

In a separate development, Zoom may also be inadvertently leaking user email addresses and photos to complete strangers, according to Motherboard.

This appears to be happening, because Zoom treats all email addresses with "non-standard providers" (Gmail, Yahoo or Hotmail) as single companies. Users with those non-standard addresses are able to see the full names, profile pictures and statuses of other users with the same email provider. They're also able to start video chats with those users.

On Tuesday, The Intercept also alleged that Zoom was misleading customers by claiming that video calls were end-to-end encrypted. They aren't. Instead, Zoom is using transport encryption, which encrypts the connection but doesn't hide calls from Zoom itself.
«1

Comments

  • Reply 1 of 34
    xrstevexrsteve Posts: 1member
    What's the best way to delete my Zoom account, and completely remove Zoom code from my Mac?
    mrmacgeekmagman1979roybattychasmwatto_cobra
  • Reply 2 of 34
    seanismorrisseanismorris Posts: 1,624member
    Yikers.

    Electrical tape to the rescue!
    watto_cobra
  • Reply 3 of 34
    cpsrocpsro Posts: 3,192member
    Nice to see AI going after companies with security/privacy issues. Too bad AI doesn't investigate products like Spark before promoting them, not that AI is alone in this. There is simply too much blind promotion (advertising) being done by so-called tech sites.
  • Reply 4 of 34
    MplsPMplsP Posts: 3,911member
    Not to excuse the issues with Zoom, but isn’t part of the issue also a security flaw with MacOS that allows the software to be installed in the first place?

    COVID catapulted Zoom to the forefront and I suspect they were somewhat unprepared for this scrutiny. Hopefully they can get their security in order.
  • Reply 5 of 34
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    cpsro said:
    Nice to see AI going after companies with security/privacy issues. Too bad AI doesn't investigate products like Spark before promoting them, not that AI is alone in this. There is simply too much blind promotion (advertising) being done by so-called tech sites.
    What are we talking about, in regards to Spark?
    mrmacgeekStrangeDaysronnwatto_cobra
  • Reply 6 of 34
    seanismorrisseanismorris Posts: 1,624member
    Isn’t the Mac App Store supposed to prevent this bad behavior in app installs?

    Most people must be getting the app from their website...


    edited April 2020
  • Reply 7 of 34
    Rayz2016Rayz2016 Posts: 6,957member
    MplsP said:
    Not to excuse the issues with Zoom, but isn’t part of the issue also a security flaw with MacOS that allows the software to be installed in the first place?


    It's a good point, yes.

    The problem is that thing you call a flaw, is actually called a 'feature' by developers. It allows preflight checks before you run the main installation (making sure you have the right version of Python on the machine for example), but it does require an element of trust because there's nothing stopping you from running anything you want as part of the preflight, which is what you Zoom appear to be doing.

    Apple will eventually tighten this up, and a lot of developers will complain when they do it.



    magman1979StrangeDaysronnpscooter63watto_cobra
  • Reply 8 of 34
    GobnuGobnu Posts: 17member
    Isn’t the Mac App Store supposed to prevent this bad behavior in app installs?

    How can the install be “shady” if using this method?  

    Are people installing Zoom using another method?
    When someone sends you a meeting link, it prompts you with another link to download and install itself if not already installed.  You still have to allow downloads from the website, but that is the only security hurdle that I am aware of.
    watto_cobra
  • Reply 9 of 34
    beeble42beeble42 Posts: 32member
    Isn’t the Mac App Store supposed to prevent this bad behavior in app installs?

    How can the install be “shady” if using this method?  

    Are people installing Zoom using another method?
    Zoom is not in the App Store. People go to Zoom's website and download the installer. Part of the problem is that they aren't using the installer correctly to bypass security features.

    Frankly, their developer certificate should be revoked by Apple to protect users. They are deliberately circumventing security processes on the Mac and exposing users to vulnerabilities. Additionally they are lying about their security features. Apple would be completely justified at this point simply revoking their certificates and breaking their installer and application. There are plenty of alternative conferencing applications out there that people can switch to quite rapidly.
    magman1979macseekerStrangeDaysronnwatto_cobra
  • Reply 10 of 34
    Rayz2016Rayz2016 Posts: 6,957member

    MplsP said:


    COVID catapulted Zoom to the forefront and I suspect they were somewhat unprepared for this scrutiny. Hopefully they can get their security in order.

    Too late. They've already demonstrated, on a number of occasions, that they can't be trusted.

    These aren't coding mistakes they're making; they're carrying out deliberate actions (and coding mistakes!) that is making your machine and data vulnerable.
    magman1979Gabyronnchasmwatto_cobra
  • Reply 11 of 34
    larryjwlarryjw Posts: 1,031member
    MplsP said:
    Not to excuse the issues with Zoom, but isn’t part of the issue also a security flaw with MacOS that allows the software to be installed in the first place?

    COVID catapulted Zoom to the forefront and I suspect they were somewhat unprepared for this scrutiny. Hopefully they can get their security in order.
    There was an article on this site indicating 10.15.4 and thereafter are pushing to not use OS extensions, though they are allowed now. Are the extension limitations previously discussed how MacOS will be protected?
    watto_cobra
  • Reply 12 of 34
    seanismorrisseanismorris Posts: 1,624member
    xrsteve said:
    What's the best way to delete my Zoom account, and completely remove Zoom code from my Mac?
    Is Google down today?

    Developers website 

    General info on uninstalling apps
    https://www.youtube.com/watch?v=pabnBqU7iP0
    magman1979ronn
  • Reply 13 of 34
    Application developers require revenue to produce support and update their products. These situations will not be resolved until users are willing to pay for security and absence of ads. There is no "Free Lunch".
    lkruppiHywatto_cobra
  • Reply 14 of 34
    I don’t trust the intentions of the people at Zoom. ☹
    edited April 2020 watto_cobra
  • Reply 15 of 34
    jimh2jimh2 Posts: 611member
    How do you file a class action suit against a foreign company where our courts have no jurisdiction?
    watto_cobra
  • Reply 16 of 34
    lkrupplkrupp Posts: 10,557member
    My church started using Zoom for Sunday services. I see in the zoom.us app there is an option to uninstall zoom. Anybody know if this option does what it says it does?
    watto_cobra
  • Reply 17 of 34
    lkrupplkrupp Posts: 10,557member
    BuckDuane said:
    Application developers require revenue to produce support and update their products. These situations will not be resolved until users are willing to pay for security and absence of ads. There is no "Free Lunch”.
    Tell that to all the people using Google’s ‘free’ apps and services. What is it about the word ‘free’ that scrambles people’s brains into thinking it’s true?
    qwerty52watto_cobra
  • Reply 18 of 34
    sjworldsjworld Posts: 94member
    jimh2 said:
    How do you file a class action suit against a foreign company where our courts have no jurisdiction?
    What? This company is based off of San Jose, California.
    ronn
  • Reply 19 of 34
    djkfisherdjkfisher Posts: 130member
    Interesting and I don't use the product, scary.
    watto_cobra
  • Reply 20 of 34
    JBSloughJBSlough Posts: 92member
    Isn’t the Mac App Store supposed to prevent this bad behavior in app installs?

    Most people must be getting the app from their website...


    The App is not available in the Mac App Store. You have to download off the web. Which means you have to change the Gatekeeper settings to let that happen.
    watto_cobra
Sign In or Register to comment.