Zoom is a video conferencing solution which became very popular due to the social distancing imposed by the COVID-19 pandemic. Since its free version allows overcoming WhatsApp group video calling limitations, it became very popular among home users.
The questions to Zoom
That sudden popularity led computer security experts (and some other cybercriminal) take an interest in its privacy and security features.
The New York attorney general's office, Letitia James, sent the company a request to report what new security measures the company has put in place to handle increased traffic on its network and to detect cybercriminals.
For the prosecution, the firm responsible for the service was slow to address security flaws such as vulnerabilities "Which could allow malicious third parties, among other things, to gain surreptitious access to consumer webcams."
It all started with the attack boosts now known as “Zoombombing."
That word refers to the exploiting Zoom's screen sharing feature to hijack meetings and disrupt educational sessions or posting white supremacist messages in a webinar on anti-Semitism,
Prosecutors express concern that:
Zoom's current security practices may not be sufficient to accommodate the recent sudden increase in both the volume and sensitivity of the data passing over your network.
Although they acknowledge that the detected vulnerabilities have been corrected, they ask Zoom if you have undertaken a broader review of your security practices.
Sharing data with Facebook
A few days ago it was discovered that the Zoom client for iOS sent data to Facebook. This happened even if the user did not have an account on that social network.
It may not be deliberate. Many applications use Facebook's software development kits (SDKs) as a means of implementing features in their applications more easily.
When downloading and opening the app, Zoom would connect to Facebook's Graph API. The Graph API is the main way for developers to get data on or off Facebook.
The Zoom app notified Facebook when the user opened the app, details of the user's device such as the model, time zone and city from which they are connecting, which phone company they are using, and a unique advertiser identifier created by the user's device that companies can use to target a user with ads.
The last friday, the app was updated. In the new version the use of the SDK was replaced by an authentication on Facebook using the browser.
Other privacy issues
Zoom also thas other problems privacy potentials. Hosts of Zoom calls can see if participants have the Zoom window open or not, which means that they can monitor whether people are likely to be paying attention. Administrators also they can see the IP address, location data and device information. If a user records any call through Zoom, the administrators can access the contents of that recorded call, including video, audio, transcription and chat files, as well as access to sharing, analyzing and managing cloud privileges. Administrators also have the ability to join any call at any time at the urging of their Zoom organization, without prior consent or notice to call attendees.
If you use a Mac and have Zoom installed, you should be careful what you do in front of the camera. Jonathan Leitschuh, a security analyst, published two links from which it is possible from a website to turn on the webcam of Mac users without their consent and knowledge.
But, things are not better for Windows users. According to cybersecurity expert @ _g0dmode, Zoom for Windows is vulnerable to a classic 'UNC path injection' vulnerability that could allow remote attackers to steal login credentials Windows victims and even run arbitrary commands on their systems.
These attacks are possible because Zoom for Windows supports remote UNC paths that convert potentially unsafe URIs into hyperlinks when received via chat messages to a recipient in a personal or group chat.
The serious thing about all this is that we are talking about a service that has been in the market for 9 years and an application that is one of the most downloaded in both application stores.
A few days ago, in Linux Adictos we review some open source video conferencing solutions you can use.