Security Week 15: Zoom Real and Imaginary Vulnerabilities

On Thursday, April 2, The Guardian shared its impressive numbers on Zoom's web conferencing platform: traffic attendance increased by 535%. Definitely Zoom was better than competitors was able to take advantage of the situation, gaining growth if not in money, then precisely in popularity and number of users. The reason for this success was effective marketing (for example, the availability of a free tariff option) rather than some technical advantages. Everything would be fine if it were not for the characteristic title of the same article in The Guardian: “Zoom is malware.”

Let's get it straightforward: Zoom is not malware. This is not the first time companies have attracted the attention of information security specialists in the wake of hype, but last week's discussion of Zoom's flaws was the main entertainment of the whole party. In short: Zoom encryption is negotiable, but not strong enough, and certainly cannot be qualified as end-to-end. A couple of serious and a bunch of frivolous vulnerabilities were discovered in the software. A couple of features of the service raise questions regarding privacy - data passing through a server in China and integration with LinkedIn. Nothing terrible, but again it becomes clear that the security of a digital service is still not the key to its success.

Let's start the review with an April Fools (but not comic) articleEditions Vice: it talks about a bug leading to a leak of contacts, which in general, as often happens, is a feature. Initially, Zoom and any other means of conducting teleconferences were focused strictly on corporations: no one expected that karaoke parties would start online. Zoom has an entity called Company Directory: as soon as you register using work mail, all contacts on the same domain are automatically visible. If you use personal mail, you get access to a huge number of ordinary users, and your full name and mailing address are available to them. For popular mail services such as GMail or Yahoo, this does not work, but if your personal mail, for example, is set up on the domain of a local Internet provider, you will see several hundred “colleagues” in the contact list.

We go further. In the last issue, we reported that Zoom was sending user telemetry to Facebook, but, under pressure from the public, stopped doing it. On March 31, Zoom was sued in the United States for violating the recently adopted California Data Privacy Act. The service allegedly did not notify users about how it processes and where it sends information.

On April 2nd, the New York Times reportedthat Facebook wasn’t limited to this. Zoom also had integration with LinkedIn, which allowed conference call organizers (with the LinkedIn Sales Navigator paid package) to automatically find caller profiles on LinkedIn by postal address. It sounds intimidating, but in fact it is a traditional marketing tool, adequate when working at Zoom as a sales manager with customers of the company. When holding mass webinars, this really looks like a violation of privacy standards: almost none of the millions of new Zoom users know about such features. However, we rarely realize the scale of profiling in any digital services, even if it is described in detail in EULA. The feature was promptly removed from the service.

Further worse. March 30, well-known security specialist Patrick Wardle writes an articlewith the characteristic name “In the word Zoom, the letter B is about security.” He discovered two moderately dangerous vulnerabilities in the Zoom client for MacOS. The non-standard client installation method allows a local user with disabilities to obtain root privileges. According to the researcher, Zoom uses the AuthorizationExecuteWithPrivileges API, which is no longer recommended for use, to minimize user input during installation. As a result, the executable file (installer) launched with superuser rights is not checked, and it can be easily replaced with any other code. The second vulnerability was also caused by circumventing standard practices for writing safe software for MacOS X in the Zoom client, and the result was the potential for capturing image and sound from a webcam and microphone. Again, providedthat computer is a victimalready compromised. "If your computer was hacked, then you can do anything on it." Both vulnerabilities are closed on April 2.

In each such publication, Zoom recalls past sins: the web server that was installed on macOS with the client and was not deleted during uninstallation (Apple had to issue a patch to force the server to be deleted, since it was naturally vulnerable), and the inclusion of the web - default cameras when connecting to a web conference, with a later discovered mechanism for luring a user. The problems have long been resolved, but which have become the occasion for statements like “Zoom always had everything bad with privacy.”

The BleepingComputer website reports vulnerabilities in the Zoom client for Windows. Users can exchange links in the service’s chat, and the Zoom client expectedly makes links clickable, including links to network folders or even local files, the so-called UNCs. Theoretically, you can imagine a situation where a link to a public file server is sent to chat. When you click on it, the server with default settings, Windows will receive a username and its password hashed.

You can go further and imagine a situation in which a link will cause code to execute on the user's computer. In practice, an attack is feasible in the current, non-standard conditions for Zoom itself: when there are public conference calls with poorly configured security and an incomprehensible audience.

Let's move on to heavy artillery. CitizenLab has published a detailed Zoom security report . It describes the subjective "features" of the service: development in China, although the company is American; sending data to Chinese servers even when subscribers are not there (later Zoom recognized this as a technical error ). But the main topic of the study is negotiation encryption, which Zoom has long called end-to-end. Firstly, it is not completely cross-cutting, since keys are generated on Zoom servers. Secondly, instead of the AES-256 encryption algorithm originally specified in the documentation, AES-128 is used in ECB mode .

This simpler encryption method, compared to the ancient codebook encryption method, preserves the patterns of the original unencrypted data. This is best illustrated in the tweet above or in the picture from Wikipedia below: although the data is encrypted, even without decryption, you can get an idea of ​​the contents of the video stream.

In general, it’s clear why security experts do not like Zoom: here you’ll have questionable behavior on the user's computer in the past (an undeletable web server on Apple computers), and the lack of intelligible information about the use of personal data, and imperfect defenses with misleading description. The main complaint: user privacy is not the main priority of Zoom developers, but is somewhere at the end of the first hundred of the “task list”. Nothing truly terrible (like data transfer without encryption) was found.

When discussing all such “studies,” arguments are also presented against the “now we will show them” approach, which is slightly hysterical. There are standard ways for independent researchers to interact with the vendor, and ethics for disclosing vulnerability information. Why in a situation of a viral (not computer) epidemic need to be done differently? Maybe, on the contrary, it is worth increasing the waiting time for the reaction of the vendor? Because, frankly, any digital service provider is now primarily concerned that the servers withstand the influx of users. Finally, not one of the discoveries of the past week changes attitude to Zoom and similar services. For a karaoke party, they are great for corporate conversations, too, although it’s worthwhile to train employees in basic safety standards. Well, for example, download the client from the official site, and not from anywhere.For sensitive negotiations on secret matters, you need to look for a service (or raise your own) with a mandatory security audit, and not click on the first link in the Google search.

The vendor’s reaction, by the way, turned out to be more than adequate: on April 1, the company announced that it would suspend the development of new functionality for three months and would deal closely with bug fixes and security.

What else happened

The publication Threatpost summed up the results of a survey on the site about privacy in a pandemic. 25% of respondents are ready to give priority to health at the expense of privacy (for example, to share medical data). And this is among the audience, which is traditionally sensitive to any attempts on personal data.

Vulnerabilities in Firefox and Chrome browsers are closed . Firefox has patched serious problems with the potential execution of arbitrary code, which are actively used in real attacks.

Representative Internet companies (Akamai, AWS, Cloudflare, Facebook) mergedin the name of improving the security of network traffic and correcting the flaws of the BGP routing protocol, which previously repeatedly led to “traffic hijacking” - redirecting data packets through an arbitrary network gateway, accidentally or even intentionally.

A new bug has been discovered in the plugin for WordPress, Rank Math SEO-optimizer. You can remotely appoint any user registered on the site as an administrator, or take away rights from a real administrator.

The American Aviation Supervision Agency (FAA) sent out a directive requiring airlines to reset the Boeing 787's control systems at least once every 51 days. The reason, most likely, is the same as in other similar cases in aviation and not only: time counter overflow.