Zoom, the videoconferencing tool has seen a surge in users due to the COVID-19 pandemic. The app has gained more than 2 million new users since February. Zoom has proved to be an efficient solution against issues related to consistent communication between teams and individuals during these uncertain times. However, recent discoveries of several Zoom vulnerabilities may stain that position. While its popularity has seen a significant boost in the past months, the latest vulnerabilities have put users’ security and privacy at risk.
The first vulnerability has been found in Zoom’s Windows client that allows hackers to steal users’ login information. Using a “UNC path rejection” vulnerability, hackers can gain remote access to victims’ credentials, even performing commands without detection.
Threat actors can exploit these Zoom vulnerabilities via the chat function in Zoom that converts any URL into a hyperlink. While this does make it easier for the user to access the content, the app also converts the Windows networking Universal Naming Convention (UNC) into a clickable link.
In other words, when a user clicks on this link, Windows will automatically try and connect to this remote site via the SMB file-sharing protocol. At this point, Windows will send the user’s login name and NTML password hash to the attacker.
These password hashes can be decoded within seconds using free password cracking tools such as HashCat. On a shared network, the single vulnerability can put all the connected devices’ security at risk as well.
Luckily, users can fix this issue by following the steps mentioned here:
- Go to Computer Configuration
- Click Windows Settings and then Security Settings
- Now, go to Local Policies, then Security Options and go to Network security
- Restrict NTLM: Outgoing NTLM traffic to remote servers.
Similar Vulnerability on Mac
Similar Zoom vulnerabilities on the Mac have come to light as well. Mac users aren’t asked for permission to install new applications because of preinstalled scripts. Hence, hackers can inject the software with malicious code and obtain privilege access to root folders.
Additionally, the same vulnerability can be exploited to gain access to users’ webcams and mics. As of yet, Zoom has yet to roll out a patch or an upgrade that addresses either of these vulnerabilities.
Zoom’s Other Security and Privacy Issues
These Mac and Windows’ Zoom vulnerabilities are not the first time that the service’s ability to protect its users’ privacy has come under fire. Zoom is undoubtedly sleek and designed to deliver a user-friendly experience. However, it has since become evident that the chat host can access private chat between users.
Zoom may also have vague about the end-to-end encryption that it promises to all its users. Zoom’s distinct definition of end-to-end gives it the right and capability to access users’ audio and video meetings.
The Transport Encryption, better known as TLS, secures the connection between the app on your device and Zoom’s servers. However, theoretically, Zoom could access these meetings if it wanted to. In the absence of any technical guarantees to the contrary, Zoom simply expects its users to take its word on it.
One individual that hasn’t taken Zoom’s word on it is the New York Attorney General. If this wasn’t all bad enough on its own, then there have been allegations that Zoom shares its user data with Facebook.
Not Safe From “Zoom-bombing”
As if Zoom’s plate wasn’t already full of technical faults, the app has lately become a target of mass “Zoom-bombing” campaigns. It’s a relatively new phenomenon, making iot hard to counter it. It goes on like this: the link for a Zoom meeting gets shared on the internet where it’s not supposed to, inviting hundreds of online trolls to raid a Zoom group meeting.
While that might seem harmless fun at the start, it has been reported that these raids have been used to spam groups with pornographic and other various forms of illegal content. A simple search (#Zoomus) on Twitter can reveal hundreds of corporations sharing their Zoom meeting codes that can be found.
Currently, Zoom does not employ a rigorously detailed signup process. This makes it easier for online trolls to create dozens of pseudo-profiles specifically for “Zoom-bombing”. Serious users in groups that fall victim to these raids have little choice other than to leave the meeting or end the session altogether.
So far, Zoom has failed to come up with a counter-strategy against this phenomenon. It has only managed to offer users “tips” on how to avoid Zoom-bombing.
Unblocking Zoom Restrictions
None of that will matter if you find yourself in a country that blocks the service altogether. Cuba, Congo, Iran, Iraq, Lebanon, Libya, Sudan, Syria, Ukraine, the UAE, Venezuela, Yemen, Zimbabwe, and Taiwan maintain a complete ban on Zoom.
However, there’s an easy way around those restrictions thanks to a VPN. PureVPN has made a reputation for itself in enabling users to evade tough cyber restrictions in several countries, while also obfuscating your real location. If you’re trying to unblock Zoom in any of these countries, there aren’t better options out there than PureVPN.
Zoom’s Exclusive Club
The fact that Zoom’s usage skyrocketed during the current mandatory WFH routines around the world brought a lot of questions about its encryption claims. Zoom did not want any ambiguities. Hence, it hired a team of cryptographers and security engineers to implement transparent end-to-end encryption. It has been successful in this endeavor, but with a slight catch. Free users of Zoom will no longer have their communications encrypted.
Zoom’s CEO Eric Yuan revealed that this was intended to ensure that the service was not being used for any nefarious activities. The FBI and the Department of Justice have been heavily advocating against end-to-end encryption for years. Zoom’s decision to end its encryption for free users appears to be a compromise.
However, this decision has been met with a furor. This decision makes this service highly contentious for people that need it the most such as journalists, activists, and non-profits. These often have limited resources, making a paid subscription difficult to acquire.
It should be noted here that Apple’s FaceTime, Facebook’s WhatsApp, and Google’s Duo, use end-to-end encryption for all their users. However, none of them offer this to the extent that Zoom does. A thousand users can join a Zoom link and they’d still have been protected.
Moreover, it’s the far-reaching consequences of this decision that has so many users worried. If Zoom can implement a paid end-to-end encryption model, who’s to say other services won’t follow suit? It is a severely dangerous precedent.
There can be no denying that Zoom has been incredibly useful to both employees and managers. It has played a crucial role in maintaining communication during this period of uncertainty. However, that is no excuse for the plethora of security-related vulnerabilities in the app. Users would be well-advised to instead opt for other alternatives that can deliver the same VoIP experience with none of the security-related risks.
Signal & Jitsi: Both these apps are renowned for their security as well as the ability to provide absolute privacy to their users. There have been no significant reports regarding any vulnerabilities that would endanger users’ privacy.
Skype & Microsoft Teams: Both these apps can support up to 50 participants while retaining the same features that Zoom offers. Furthermore, the registration process for these apps is stricter, which means fewer chances of encountering online trolls.
Google Meet: The best alternative that users can opt for thanks to its ability to support up to 250 participants. Users will find it to be equipped with all the essential features they might need. Most importantly, it does not require users to download a client and can be used online.