Zoom’s Privacy Problems Snowball as Two Zero Days Uncovered
Amid increased scrutiny from researchers and privacy activists, two new zero days in the teleconferencing app surfaced on Wednesday.
As if Zoom - the video conferencing app that countless companies are using to do work in wake of the COVID-19 pandemic – didn’t have enough of a privacy nightmare on its hands, a researcher today disclosed two new zero day vulnerabilities in the app that could be used to steal data and spy on users.
The issues specifically exist in Zoom's macOS client, according to longtime Apple security researcher Patrick Wardle. Wardle, who works as a Principal Security Researcher for Apple device management platform Jamf, detailed the bugs, both of which are still unpatched, in an Objective-See blog Wednesday.
One of the bugs, a privilege escalation vulnerability, could let an attacker obtain root privilege. To exploit it, an attacker would have to replace a bash script during an installation or upgrade of the vulnerable version. With root, of course, it'd be easy to install malware or carry out other forms of malfeasance.
At its crux, the bug exploits the way Zoom installs itself on Apple machines. Wardle decided to take a closer look at the way it behaves after seeing a tweet from Felix Seele, a technical lead engineer at VMRay. In the tweet, Seele pointed out that Zoom leverages preinstallation scripts to manually unpack the app using 7zip and install it to Applications without human interaction. Wardle notes those scripts can be viewed and extracted via Zoom's installer package.
The second vulnerability exploits the way Zoom handles access to a system's mic and camera, something which can allow malicious code to be injected. Through this code, an attacker could either record Zoom meetings or access the mic and camera without an access prompt.
As Wardle notes, if exploited, this access could let malware access either the mic or the webcam without tripping any macOS alerts or warnings.
"Normally this code would trigger an alert from macOS, asking the user to confirm access to the (mic) and camera," the researcher writes, "However, as we’re injected into Zoom (which was already given access by the user), no additional prompts were be displayed, and the injected code was able to arbitrarily record audio and video."
The vulnerabilities exist in the most recent version of Zoom, 4.6.8, released on March 23.
It’s unclear when or if Zoom plans to fix the issues; the service did not immediately respond to a request for comment Wednesday.
When reached Wednesday, a Zoom spokesperson said the company was working to fix the vulnerabilities:
“We are actively investigating and working to address these issues. We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue.”
The vulnerabilities come only a day after the FBI warned Zoom users to use their due diligence when using the app. To combat "zoom-bombing" attacks - essentially webcam hijacks where strangers can listen in or join conferences - the FBI urged users to manage their screensharing options on the app, don't make meetings or classrooms public, don't share links to rooms on social media, and to ensure they’re using the most up to date version of the app.
This is all in addition to a class action lawsuit Zoom's parent company, Zoom Video Communications, is facing over allegedly collecting user information on the iOS version of its app and improperly sharing it to third parties, including Facebook. A suit, filed in California last week, claims the company failed to "properly safeguard the personal information of the increasing millions of users."
Zoom ultimately removed the code, which was spotted sending users' timezone, city, and device details to Facebook.
Other issues found in the app include how it can reportedly leak user email addresses and photos to strangers - a problem connected to its "Company Directory" setting, let attackers steal Windows credentials of users – an issue that stems from how the app treats UNC path injection, and charges the app is misleading users with claims its end-to-end encrypted.
While the app claims to boast end-to-end encryption on its site and in a whitepaper, a study carried out by The Intercept found that Zoom is only using transport encryption, which encrypts the in-meeting text chat in a connection but doesn't hide calls from Zoom itself. The company countered those findings by stressing that it views the connection from Zoom end point to Zoom end point as encrypted: "When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point… The content is not decrypted as it transfers across the Zoom cloud."