PSA: Zoom is not secure, leaking emails, and other issues

ArrogantBastard · Apr 1, 2020

Thatguy said:
So many people are using Zoom with open meeting links. Put a password on it and that prevents a lot of this. Same goes for open anonymous links that you can create with Onedrive, Google Drive, DropBox, etc.

Because the vast majority of people that are using this have never once in their life done a virtual conference. I'm one of them, its a 15 minute meeting and its hard enough to get 50% attendance with constant questions of what to do, I cannot join, etc. Its crap I know, but when you reach for the lowest form of entry this is no surprise. Not gonna lie, I'll still use it till my school jumps ship.

captive · Apr 1, 2020

Thatguy said:
So many people are using Zoom with open meeting links. Put a password on it and that prevents a lot of this. Same goes for open anonymous links that you can create with Onedrive, Google Drive, DropBox, etc.

The problem is the default setting.

Onedrive default to share files is via email so only the person with that email can get it. You have to manually switch to an open link.

Vilix · Apr 1, 2020

Jay Mcsaros said:
Video conferencing is a security risk that hasn't been completely solved for.

FaceTime is very secure. Unfortunately a lot of people don't use Apple devices.

Chrno · Apr 1, 2020

my company (with over 150,000 employees) just switched over to Zoom. 🤔

Dervius · Apr 1, 2020

This has been blowing up a bit on infosec Twitter.

The general feeling among security professionals is that it's "good enough" for most people.

When it comes to security you can't let perfect be the enemy of good. The fact is Zoom is a triumph of usability and UX design, and orgs are flocking to.it on droves given the unprecedented demand for remote working and communication solutions.

Some of the common issues highlighted can be mitigated by changing default settings on meetings (the zoombombing issue) and others have to be accepted as a known risk.

Tl:dr - with a google and some setting changes zoom is good enough for.most people.

For people asking for alternatives, Jitsi was a name I've seen banded about in the security twittersphere.

captive · Apr 1, 2020

Whelp here's another

[Update: Zoom patches and responds] Ex-NSA hacker finds new Zoom flaws to takeover Macs again, including webcam, mic, and root access - 9to5Mac

Zoom, the popular video call service has had a number of privacy and security issues over the years and we’ve...

9to5mac.com

Mac users should be pleased.

BLEEN · Apr 1, 2020

The Albatross said:
Zoom has shady privacy agreement and installation methods but that doesn't make it malware, that's a dumb conclusion or misuse of the word "malware"

'malware' the new 'hacker' the new 'virus'. lol

Hopey · Apr 1, 2020

My whole college is switching to zoom, not sure how they'll see this. Probably wont do a thing

Deleted member 39374 · Apr 1, 2020

Never used it. Slack and Group Facetime only 💪🏼💪🏼

PRed · Apr 1, 2020

For people who are stuck on Zoom because of organisation issues, use Zoom web client if you can to minimise the risks of running native app code (doing who knows what).

There's a browser extension to redirect all zoom links to the web client: https://github.com/arkadiyt/zoom-redirector

marmalade · Apr 1, 2020

I had been using Zoom until last summer for work and am absolutely baffled it made a resurgence.

shauntu · Apr 1, 2020

Teams is free for all universities and schools

gogojira · Apr 1, 2020

Dervius said:
This has been blowing up a bit on infosec Twitter.

The general feeling among security professionals is that it's "good enough" for most people.

When it comes to security you can't let perfect be the enemy of good. The fact is Zoom is a triumph of usability and UX design, and orgs are flocking to.it on droves given the unprecedented demand for remote working and communication solutions.

Some of the common issues highlighted can be mitigated by changing default settings on meetings (the zoombombing issue) and others have to be accepted as a known risk.

Tl:dr - with a google and some setting changes zoom is good enough for.most people.

For people asking for alternatives, Jitsi was a name I've seen banded about in the security twittersphere.

Same and the sentiment largely ranges from "y'all good quit freaking the fuck out" to "omg privacy nightmare." I mean, Teams (which I use daily at this point) is ran by Microsoft who has designed W10 to ingest so much of your private data it's absurd. Their Edge updates are causing concern, too. Most everyone in this thread is probably posting on a Google browser. And I have a feeling Jitsi will take off in the mainstream about as much as Qubes OS.

I'm not saying people shouldn't care, but these complaints are pretty common across tech.

hateradio · Apr 1, 2020

Octodad said:
Anyone have a suggestion of a better video chat platform for multiparty usage?

Webex or Slack for Enterprise.

Deleted member 6730 · Apr 2, 2020

Who can be our savior now.

Dervius · Apr 2, 2020

When something like this kicks off, something ubiquitious and popular has security issues unearthed it really highlights the value of threat modelling. Not every security issue poses a threat to every user, and it's useful to try and understand how something might be used, and if that would in fact affect your use-case for using a product or service.

But in the public consciousness X program is now insecure, full stop. Which is understandable when you're seeing headlines about new security vulnerabilities but I'd always encourage people to try and understand how they apply to their particular use case and make personal assessments accordingly.

Zoom doesn't just have to be abandoned now.

captive · Apr 2, 2020

Dervius said:
When something like this kicks off, something ubiquitious and popular has security issues unearthed it really highlights the value of threat modelling. Not every security issue poses a threat to every user, and it's useful to try and understand how something might be used, and if that would in fact affect your use-case for using a product or service.

But in the public consciousness X program is now insecure, full stop. Which is understandable when you're seeing headlines about new security vulnerabilities but I'd always encourage people to try and understand how they apply to their particular use case and make personal assessments accordingly.

Zoom doesn't just have to be abandoned now.

People are trying to make this argument. That some of the vulnerabilities are low value. While true it downplays the larger issue.

The problem on this case is the long history of doing shady things, not caring about users data or privacy AND security vulnerabilities

Replicant · Apr 2, 2020

LProtagonist said:
Our school decided not to use Google Meet, as it's easy for people to get into that weren't invited. Zoom apparently has protections against that, but there's all these issues too...

Google quickly fixed the issues Meets had last week. Hosts can now lock rooms, and ended meetings now actually end them. Very surprised google allowed a host to leave and it didn't end the meeting. All meetings could never end because anyone who was in one could just join back into them when they want as long as they had the meeting link.

Dervius · Apr 2, 2020

captive said:
People are trying to make this argument. That some of the vulnerabilities are low value. While true it downplays the larger issue.

The problem on this case is the long history of doing shady things, not caring about users data or privacy AND security vulnerabilities

There definitely needs to be a balance. I am in no way suggesting that these things should be played down, the developers should indeed to held to account to do better, security researchers should continue to do their work. But at the same time, a headline like "Zoom is insecure" is a binary trigger to many of the wider public who will then consider the tool a total lost cause because it's insecure, without any understanding of what exactly the problem is, or how it may or may not apply to them.

Every user of Zoom is obviously not going to be a security expert, and thus headlines end up shaping that public perception. It's harder to say "You can still use Zoom reasonably safely if you do these things" than "Zoom is an insecure PoS that's stealing your data".

Arguably both things need to be said, but one seems to heard far more easily than the other.

NameUser · Apr 2, 2020

Action Burger said:
Same happened at my job. WebEx and Teams enterprise accounts but everyone wants to use Zoom. It does seem to have far superior video quality and stability. It's just insane that Microsoft, Cisco and Google don't have better servers. Between this and the shady Zoom practices, it's like real life Pied Piper.

Skype had such a huge headstart over a lot of these companies, and with MS owning them, they really should be the GOAT. Weird how they just dropped the ball.

Windrunner · Apr 2, 2020

Attackers can use Zoom to steal users' Windows credentials with no warning

Deleted member 42472 · Apr 2, 2020

NameUser said:
Skype had such a huge headstart over a lot of these companies, and with MS owning them, they really should be the GOAT. Weird how they just dropped the ball.

There were a few solid decades where Microsoft was The Devil and anything they touched had to be evil. That tends to slow down adoption and let other companies (google, apple, facebook, etc) get pretty strong footholds.

mrmoose · Apr 2, 2020

Windrunner said:
Attackers can use Zoom to steal users' Windows credentials with no warning

I don't quite get this vulnerability. I understand that the vulnerability is Zoom converting those to links. I don't understand how or why windows would send your unencrypted username/password just from clicking on that share. Unless we're talking someone capable of breaking that hash. Plus I wasn't even aware the firewall wouldn't block an outgoing connection to a remote windows share that you had never heard of before.

Tappin Brews · Apr 2, 2020

i got zoom bombed on my first attempt this week.

it hasnt been an official mandate that we do these in our district but there does seem to be a lot of pressure - wonder if these stories will have them relax that a bit (or find an alternative)

Aureon · Apr 2, 2020

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link.

www.bleepingcomputer.com

Honestly, i'm reading this and all i'm thinking is WHAT THE FUCK, WINDOWS?
Click on any UNC link and you attempt a SMB connection.. ok.
Just attempting any SMB connection exposes windows credentials?! Username AND password?

Daily reminder that windows is, from a security standpoint, a complete and utter shitshow.

entremet · Apr 2, 2020

Looks like the NY AG is starting some investigation on Zoom due to privacy issues.

Uh oh!

New York Attorney General Looks Into Zoom’s Privacy Practices (Published 2020)

As the videoconferencing platform’s popularity has surged, Zoom has scrambled to address a series of data privacy and security problems.

www.nytimes.com

Unicorn · Apr 2, 2020

Walter White Walker said:
My kids started school from home on Monday. Some teachers wanted to use Zoom but the school district quickly nixed that, I'm assuming due to security concerns.

Probably more accurately due to costs to have more secure accounts. That's what my work is dealing with.

Shoes · Apr 2, 2020

Dervius said:
When something like this kicks off, something ubiquitious and popular has security issues unearthed it really highlights the value of threat modelling. Not every security issue poses a threat to every user, and it's useful to try and understand how something might be used, and if that would in fact affect your use-case for using a product or service.

But in the public consciousness X program is now insecure, full stop. Which is understandable when you're seeing headlines about new security vulnerabilities but I'd always encourage people to try and understand how they apply to their particular use case and make personal assessments accordingly.

Zoom doesn't just have to be abandoned now.

This is what I'm trying to parse from this thread... as someone who ONLY uses zoom for video chat with friends (no confidential/sensitive meetings) and uses password meetings, I'm likely OK? The odds of me convincing my friends to swap to a different app are slim to none.

Dervius · Apr 2, 2020

mrmoose said:
I don't quite get this vulnerability. I understand that the vulnerability is Zoom converting those to links. I don't understand how or why windows would send your unencrypted username/password just from clicking on that share. Unless we're talking someone capable of breaking that hash. Plus I wasn't even aware the firewall wouldn't block an outgoing connection to a remote windows share that you had never heard of before.

It sends your username and the NTLM hash of your password. The hash can be used as-is in some instances to access different restricted network shares and such by an attacker, the pass-the-hash attack. It could also be potentially taken and cracked offline.

Perturabo · Apr 2, 2020

"Sorry"

For fucks sake

BAD · Apr 2, 2020

Komo said:
I mean as much as I like teams it's seriously useless for things like this. It's just not well built at all.

Deepwater said:
Every Teams call I've had within my organization has been by far the best among the available solutions (the others being Zoom and Webex). Call quality has consistently been te best in my experience.

are you referring to handling large conference calls with 6+ people?

Yeah I'm wondering what they meant too. Teams has been the best for us.

exodus · Apr 2, 2020

OS X is the new Windows XP as far as security goes. Oof.

Tigress · Apr 2, 2020

Yeah, I'm glad I only heard of it last week and in the same day saw an article about how it was giving info to facebook. So while me and my friends were looking for a video chat program I kept insisting not that one.

Dervius · Apr 2, 2020

This sums my thoughts up reasonably well in general

Shoes said:
This is what I'm trying to parse from this thread... as someone who ONLY uses zoom for video chat with friends (no confidential/sensitive meetings) and uses password meetings, I'm likely OK? The odds of me convincing my friends to swap to a different app are slim to none.

It's a fair question. Nearly all of the vulnerabilities found thus far would be considered medium-low risk. The UNC path issue requires someone in your meeting to post a UNC path, someone else in your meeting to click it and then for them to go away and abuse that information. If you secure and password your calls you are generally speaking safe to use it, yes.

If you were particularly security conscious you could also look in to blocking outbound SMB traffic from your machine.

Mivey · Apr 2, 2020

Pretty obvious Zoom wasn't prepared for this, and never thought about doing anything but making it easy for people to set up meetings.
Wonder if these security issues brought to light will end up hurting them more, after all this is over, then if they had stayed a somewhat obscure video conferencing tool

Dr. Mario · Apr 2, 2020

I use it for friends and my primary school uses it to keep in contact with the kids. I don't mind data leaks there. The university I work for quickly shut it down though, and rightfully so, way more sensitive data goes through there.

Garrison · Apr 2, 2020

Apparently some a-hole exposed himself to a class using zoom

mrmoose · Apr 2, 2020

Dervius said:
It sends your username and the NTLM hash of your password. The hash can be used as-is in some instances to access different restricted network shares and such by an attacker, the pass-the-hash attack. It could also be potentially taken and cracked offline.

That seems really dumb from a Windows standpoint, why would that be allowed? I assume it's mainly for people who just open up sharing everywhere for convenience or something?

From a user standpoint, though, if you're going to fall for that you'll basically fall for any phishing attempt/malicious url that's posted in chat, and I don't see them turning off all links. They should still absolutely restrict what gets turned into links, though.

As I said before, from a personal use standpoint, say you want to get 20 people together on a web chat and you don't want to bother with registering 20 users, zoom is fine. Put a password on your meeting, be careful who gets in there and who puts what in chat, etc., and you should be fine. Use the web client if you're extra paranoid about spyware (though if you're that paranoid I don't know why you'd have a facebook account or use things like google). Performance-wise and ease-of-setup, it works great. If you're a company or you're sharing private or privileged information, probably look elsewhere.

AndyD · Apr 2, 2020

Garrison said:
Apparently some a-hole exposed himself to a class using zoom

This has happened multiple times already.

Today our work sent a wide message to everyone prohibiting Zoom and reinforcing we should use Webex plus guidance on how to use it appropriately. A few days ago the kids school sent a message they will continue to use Zoom for now because it's free, but they gave guidance on password pretecting meetings and whatnot.

captive · Apr 2, 2020

Mivey said:
Pretty obvious Zoom wasn't prepared for this, and never thought about doing anything but making it easy for people to set up meetings.
Wonder if these security issues brought to light will end up hurting them more, after all this is over, then if they had stayed a somewhat obscure video conferencing tool

they were not obscure before this.

SquirrelSaysNuts · Apr 2, 2020

marmalade said:
I had been using Zoom until last summer for work and am absolutely baffled it made a resurgence.

I had heard about pretty much of all video conference software before the quarantine without using anything but skype but then suddenly it's Zoom, here, there and everywhere.
It was even limited to 40 minutes in the free version.
What is the appeal?

Garrison · Apr 2, 2020

AndyD said:
This has happened multiple times already.

Today our work sent a wide message to everyone prohibiting Zoom and reinforcing we should use Webex plus guidance on how to use it appropriately. A few days ago the kids school sent a message they will continue to use Zoom for now because it's free, but they gave guidance on password pretecting meetings and whatnot.

That's fucked up. Wouldn't using teams be better for something like this? My local school gave my kid a laptop with office and quite a good amount of software.

Mivey · Apr 2, 2020

captive said:
they were not obscure before this.

Yeah, that's the wrong word. I meant they were not a well known name to random people. At this point they have basically become one of the most used apps globally within a few weeks

AndyD · Apr 2, 2020

dekdek said:
I had heard about pretty much of all video conference software before the quarantine without using anything but skype but then suddenly it's Zoom, here, there and everywhere.
It was even limited to 40 minutes in the free version.
What is the appeal?

The 40 minutes free and every platform availability is huge. Most others don't do that without paid subscriptions.

Dervius · Apr 2, 2020

dekdek said:
I had heard about pretty much of all video conference software before the quarantine without using anything but skype but then suddenly it's Zoom, here, there and everywhere.
It was even limited to 40 minutes in the free version.
What is the appeal?

It has a slick UI, works very well and can scale to larger calls easily. It just works well, and as more people use it word of mouth increases etc.

Teams will end up being the defacto solution for enterprise because of O365, but there is absolutely an appeal of a simple and usable program like Zoom to the consumer.

SquirrelSaysNuts · Apr 2, 2020

AndyD said:
The 40 minutes free and every platform availability is huge. Most others don't do that without paid subscriptions.

Isn't that something every platform has? I have certainly conducted longer meetings on skype and google hangouts.

captive · Apr 2, 2020

Zoom announces 90-day feature freeze to fix privacy and security issues

Zoom is giving itself 90 days to fix the problems that have been raised recently

www.theverge.com

freezing new features for 90 days to focus on security.

Deleted member 42472 · Apr 2, 2020

dekdek said:
Isn't that something every platform has? I have certainly conducted longer meetings on skype and google hangouts.

I am not aware of the free usage and how that pertains to corporate entities (or how zoom's does, to be honest).

But when you are deciding on a corporate choice of teleconferencing software you tend to need to be VERY aware of licensing and the like which is why webex and teams and the like are still the gold standard for what you are actually allowed to use

But with the sudden mass migration to WFH a lot of people who have never even thought about what a VTC is are outright defining corporate policy for schools and the like. And in that case

Dervius said:
It has a slick UI, works very well and can scale to larger calls easily. It just works well, and as more people use it word of mouth increases etc.

Zoom got that marketing down tight.

Nothing Loud · Apr 2, 2020

Are there people in white collar jobs that regularly do work team meetings who have never done video conferencing before until now? I figured if you work at a job where there are business meetings, especially with diverse or global teams, that there's always somebody video/calling in through Skype or Teams or Zoom or Google Hangouts. Hell I used to even meet by calling in (audio only) through my car phone while stuck in bumper-to-bumper traffic. My directors used to have WFH days 1-2x a week and they'd video call in to the meeting. I guess I'm just surprised that there's a substantial amount of business people who have never video conferenced before.

Temperance · Apr 2, 2020

Good response, it's a start. They should have a bug bounty program if they want to get serious about patching their software.

+bounties are in it appears. good good

PSA: Zoom is not secure, leaking emails, and other issues

User requested account closure

Attempted to circumvent a ban with an alt

Sly

User requested account closure

#TeamThierry

You wouldn't toast a NES cartridge

One Winged Slayer

One Winged Slayer

Mambo Number PS5

Mambo Number PS5

User requested account closure

Literally Cinderella

"This guy are sick"