Zoom: Suspicious And Bad Programmed Video Chat Application



Rapid ascent is accompanied by dubious methods, false promises and serious security deficits

A video chat solution that is easy to use, suitable for larger groups and free of charge: With this promise, Zoom has recently experienced a real boom. If the application was previously considered the rising star in this category, the situation around COVID-19 has now accelerated the growth rapidly. Zoom is not only currently at the top in the app stores of Google and Apple, but the number of users has also multiplied: According to official figures, more than 200 million people now use zoom every day. For comparison: in December there were only 10 million. The stock exchange is also thrilled: the share price has almost doubled compared to the beginning of the year. However, the current growth also means that Zoom is being examined more closely than before. And what has been tracked down in the past few days alone paints an unpleasant picture, as an unpleasant mix of dubious methods, false promises and sometimes surprising security deficits is revealed here.


zoom video chat



Zoom bombing



The so-called zoom bombing has certainly attracted the most attention: online trolls have made it fun to disturb the chats of others by inserting shocking videos or pornographic content via the screen sharing function. This is undoubtedly unpleasant, but actually one of the smaller current problems of Zoom. After all, the option of screen sharing can easily be limited to the initiator of the chat via the settings, which means that such attacks no longer work. The fact that this is possible at all has to do with a peculiarity that makes Zoom so easy to use: from the start, every chat is public if you have the right group ID - or the right link - you can also participate. In this respect, it is of course particularly important for confidential conversations to keep this information secret. Something that some politicians also have to learn. British Prime Minister Boris Johnson, for example, caused involuntary amusement a few days ago when he proudly posted a screenshot of the first cabinet meeting held via Zoom. On it, you can see the mentioned group ID. At least the chat in question had been secured with a password - so direct access was not possible. Nevertheless, it can be doubted that the British security authorities were particularly happy with this revelation. After all, it is generally a strange decision to hold such sensitive government meetings on Zoom. The service is not end-to-end encrypted, which means that the operator based in the USA could theoretically take a look at the discussions.

Boris Johnson uses Zoom - and talks about the secret group ID via screenshot. Encryption issues At this point, however, we come to the false promises mentioned at the outset - Zoom does indeed claim that the video chats are end-to-end encrypted, not only on their own website but also in the official security white paper and in the App. But this is complete nonsense. When asked by "The Intercept", the company confirmed on Tuesday that the data is encrypted between the user and server, but not on the server itself. In this respect, what is described is nothing more than classic transport encryption, as is also the case for HTTPS Connections are used on the web. This has absolutely nothing to do with real end-to-end encryption, in which outsiders have no insight. This was followed by a "clarification" of Zoom in the form of a blog entry - which does not change the fact that the false claim is currently still to be found on the website and in the apps. So that there is no wrong impression: Many other video conference programs are not end-to-end encrypted. However, they also do not claim this and thus do not weigh their users in false security.


zoom video chat



Questionable tricks


Almost at the same time, plenty of dubious methods of Zoom became public with its app for Mac OS: For example, the installer uses a trick to avoid user approval, which actually has to be obtained before each installation. Once the file is clicked, the program is immediately set up on the data carrier. A second behaviour is even more unpleasant: If the installing user is not in the admin group, Zoom asks for the root password of the system - with a dialogue that has been manipulated in such a way that it looks like a system query. It is not evident that the request has anything to do with zoom. Methods by which the discoverers of this problem find clear words: Such tricks are otherwise only known from malware. Now you could think of this as a one-time slip, but it is not: Zoom already has a relevant history. The company was in the headlines only last July when it became known that when the Mac OS version was uninstalled, remnants remained on the system. And not just a few scattered files, but a complete web server that could also be used by websites to get access to the webcam without user consent. With this, Zoom succeeded in doing something that is a real rarity in Mac OS history: Apple itself delivers an update for its operating system in order to completely get rid of the server in question. Security deficits The safety of Zoom has also recently come under fire. A bug was released on Tuesday that could allow attackers to tap Windows login information using links posted in zoom chats. On Wednesday, a former NSA hacker released two more unpatched vulnerabilities - both in the Mac version of Zoom. One allows attackers to access the microphone and camera. The second uses the previously described installer tricks to obtain root rights for a malicious application. And the automatic assignment of short (nine to eleven characters) group IDs for the chats do not seem to have been the smartest idea of ​​Zoom in retrospect: As security researchers have discovered, tools are now circulating that simply try out all number combinations and look whether chats are openly accessible - and then read out details straight away.
Almost at the same time, plenty of dubious methods of Zoom became public with its app for Mac OS: For example, the installer uses a trick to avoid user approval, which actually has to be obtained before each installation. Once the file is clicked, the program is immediately set up on the data carrier. A second behaviour is even more unpleasant: If the installing user is not in the admin group, Zoom asks for the root password of the system - with a dialogue that has been manipulated in such a way that it looks like a system query. It is not evident that the request has anything to do with zoom. Methods by which the discoverers of this problem find clear words: Such tricks are otherwise only known from malware. Now you could think of this as a one-time slip, but it is not: Zoom already has a relevant history. The company was in the headlines only last July when it became known that when the Mac OS version was uninstalled, remnants remained on the system. And not just a few scattered files, but a complete web server that could also be used by websites to get access to the webcam without user consent. With this, Zoom succeeded in doing something that is a real rarity in Mac OS history: Apple itself delivers an update for its operating system in order to completely get rid of the server in question. Security deficits The safety of Zoom has also recently come under fire. A bug was released on Tuesday that could allow attackers to tap Windows login information using links posted in zoom chats. On Wednesday, a former NSA hacker released two more unpatched vulnerabilities - both in the Mac version of Zoom. One allows attackers to access the microphone and camera. The second uses the previously described installer tricks to obtain root rights for a malicious application. And the automatic assignment of short (nine to eleven characters) group IDs for the chats do not seem to have been the smartest idea of ​​Zoom in retrospect: As security researchers have discovered, tools are now circulating that simply try out all number combinations and look whether chats are openly accessible - and then read out details straight away.


zoom video chat



Mistake in thinking

And then there was what "Motherboard" had to report on Wednesday: a fatal mistake by the Zoom developers. As it turns out, Zoom - with the exception of large providers such as Gmail or Hotmail - assumes that all email addresses from the same domain are also part of the same company. The problem with this: If you are part of the same company, you also automatically have access to the company directory. This means that users of various smaller providers were amazed to find that they could see the name, email address and photo of all zoom users who use an email address from the same provider for zoom. On top of all this, there are also dubious features such as user tracking in video calls, through which the administrator of a chat can see which users lean towards other tasks during a presentation. Or the complete lack of a transparency report that provides information about the extent of government data requests - at least one promises improvement in this regard. reaction To be fair, it has to be emphasized that Zoom has already corrected one or the other deficit. Above all, the privacy policy, which until recently would have explicitly allowed data to be passed on to third parties. This is now excluded in a new version - and this is real progress. In addition, a much-discussed data leak in the iOS app was cleaned up, via which even information about non-Facebook users was sent to Facebook. It should be noted, however, that this problem automatically resulted from using the official development kit for Facebook login. This also means that this behaviour is by no means uncommon among Android and iOS apps. This is, of course, no particular consolation, but the excitement about it seems somewhat exaggerated in relation. Zoom, on the other hand, has to accept criticism for the fact that the data transfer to Facebook was not mentioned in the privacy policy.


Some things are normal, some things are bad



A long list of problems that still needs some classification at the end. As unpleasant as the security problems that have emerged are, they are not an exclusion reason for using Zoom. Such bugs happen to practically every software manufacturer at some point, and the current accumulation is not least due to the fact that the security community has just zoomed in somewhat due to the rapidly growing popularity. In addition, Zoom has already closed some of these bugs. And it is particularly gratifying that Zoom promises to focus exclusively on improvements in the areas of privacy and security over the next 90 days. At the same time, using software with the hope of making vague promises is never good advice. In this respect, only the current facts remain as a basis for decision-making, and the picture is clear: Given all the false promises and dubious methods, it is actually currently impossible to trust the manufacturer in handling such sensitive data as private video chats are.

You may be interested:

How Should Be The Perfect Home Office?

Post a Comment

Comments with links are not allowed !!! This comments will not be published !!!

Previous Post Next Post