Security News
"While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices," according to the letter obtained by the New York Times. The potential security issues that Zoom's facing are myriad. Already, numerous reports have emerged of threat actors hijacking Zoom meetings and upending them with hate speech, threats of sexual harassment, and pornographic images.
Earlier this month, articles on Mashable, EFF, Forbes, and Consumer Reports, among others, heavily criticized Zoom for not ensuring that users' privacy is well protected, which encouraged web veteran Doc Searls to have a look into the matter as well. EFF too pointed out that Zoom hosts could monitor attendees' activity while screen-sharing, could see whether a participant has the Zoom window in focus or not, and that administrators can view "How, when, and where users are using Zoom," and can access the contents of recorded calls, including "Video, audio, transcript, and chat files."
Zoom has removed a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage. In a Friday post, Zoom that it has now removed the "Login with Facebook" software development kit for iOS, which was the feature tied to the data sharing: "Our customers' privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client, and have reconfigured the feature so that users will still be able to log in with Facebook via their browser," according to Eric Yuan, founder of Zoom.
As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices. "The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure, and exploit. Each time you get a Zoom link or document messaged or forwarded to you, I'd take an extra look to make sure it's not a trap."
As the global coronavirus pandemic pushes the popularity of videoconferencing app Zoom to new heights, one web veteran has sounded the alarm over its "Creepily chummy" relationship with tracking-based advertisers. Doc Searls, co-author of the influential internet marketing book The Cluetrain Manifesto last century, today warned [cached] Zoom not only has the right to extract data from its users and their meetings, it can work with Google and other ad networks to turn this personal information into targeted ads that follow them across the web.
The developers of the online video-conferencing service cautioned users to avoid sharing Zoom meeting links publicly and widely on social media and to use some simple management tools within the system to help avoid scenarios in which uninvited participants disrupt meetings in unpleasant and threatening ways. The company posted in response to numerous reports of threat actors upending Zoom meetings with hate speech such as racist messages, threats of sexual harassment, and pornographic images that drive meeting participants offline or force the meeting to be abruptly cancelled.
Zoom Video Communications has fixed a vulnerability that - under certain conditions - could have allowed an uninvited third party to guess a Zoom meeting ID and join a conference call. The flaw was due, in part, to an attacker potentially being able to guess a valid Zoom meeting ID, according to Alexander Chailytko, a research and innovation manager at Check Point, who notes that all Zoom meeting IDs have nine to 11 digits.
"The main takeaway for online conference platforms is that these companies are in charge of the security of their users and they need to work to secure these environments. Zoom added a password but other actions can be taken as well so that people can't really abuse these platforms," she said. Beyond Zoom's recent flaw, Horowitz also talked to Threatpost about the challenges of hunting down cybercriminals and making attribution, and the top threats she's anticipating in 2020 - from ransomware to cloud-infrastructure attacks.
A vulnerability in the Zoom online meeting system could allow attackers eavesdrop on meetings and view all shared content, Check Point security researchers have discovered. What Check Point's security researchers discovered was that an attacker could predict Meeting IDs and potentially join active meetings.
Video-conferencing outfit Zoom had a vulnerability in its URL scheme that miscreants could exploit to eavesdrop on private meetings. The firm reckoned that around 4 per cent of randomly generated meeting IDs led to genuine Zoom meetings.