tech2 News StaffApr 02, 2020 15:59:52 IST
With lockdowns around the world forcing people to stay in, video conferencing app Zoom's popularity has exploded like never before. This week, Zoom became the top free app on the App Store and Google Play Store. Although, while on one hand, Zoom was becoming a popular choice for people trying to connect with friends and office colleagues, on the other hand, the app was found to be sending iOS users' data to Facebook without their knowledge. Zoom, however, patched the issue soon after the discovery and refused any such activity.
Now, just a week after that, a few security researchers claim to have found a bunch of other vulnerabilities in the app.
The first flaw was discovered by a security researcher who goes by the handle @g0dmode on Twitter, and it's about UNC paths. Per the researchers, the Zoom on Windows is converting networking UNC paths into a clickable link in the chat message. Essentially, this means, that the Windows version of the app is allowing hackers to capture Windows passwords.
#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users.
— Mitch (@_g0dmode) March 23, 2020
Turns out that @zoom_us UNC path rendering bug is even worse than initially observed, you can hide the UNC magic and completely disable the prompting for running code... (this will affect other applications in a similar way using RichText edit boxes etc., for all ye naysayers...) https://t.co/YqnjNy5RyO
— Hacker Fantastic (@hackerfantastic) April 2, 2020
Besides that, Zoom app on Mac, there are two distinct loopholes, which can allow an attacker to can gain access to the computer once exploited and install malware or spyware, without letting users know about the backdoor entry. Apparently, this loophole comes via the installer for the app, which can easily be injected with malicious codes. This flaw was spotted by researcher Patrick Wardle and was first reported by TechCrunch.
TechCrunch/@zackwhittaker: "🍎 has pushed a silent update to all Macs removing a ...web server installed by Zoom"
How? MRTConfigData_10_14-1.45 (MRT is 🍎's built-in "Malware Removal Tool") added "MACOS.354c063", a new encoded signature & removal routine 😯😅
H/T @howardnoakley pic.twitter.com/RUCSDmR2sU
— patrick wardle (@patrickwardle) July 11, 2019
Another security researcher re-iterated the same issue.
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020
Wardle found another bug in the Mac client, that could allow an attacker to inject malicious code to access the webcam and microphone of the system.
Take a deep breath, because that's not all!
Another report by Vice claims that Zoom has an issue that is grouping individuals to a particular 'Company Directory', which is otherwise meant for users within the same company with similar email domain. Due to the issue, reportedly, personal information of users, such as email address and photo, is available to unknown users in an unsolicited manner.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE
— Jeroen J.V Lebon (@JJVLebon) March 23, 2020
Zoom responded to the report with a response saying that they had blacklisted the domain that were spamming users:
Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added. With regards to the specific domains that you highlighted in your note, those are now blacklisted.
Zoom also says that it allows users to request other domains to be removed from the Company Directory feature.
Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.