Zoom Risk Vulnerabilities and Security Best Practices

Given the dramatic shift in remote-work situations, Zoom has become a popular platform to help businesses communicate and operate through the changes. As always, attackers have taken interest in this shift and have used the platform to their advantage.

But Zoom doesn’t assume any more risk than other platforms that exist. It is never our intention to use fear, uncertainty, or doubt when it comes to conveying information security concepts, and while Zoom does have known vulnerabilities, it’s important to know that we consider these low- to medium-impact vulnerabilities. That being said, it is still important you understand that they exist, what Zoom is doing about fixing them, and how you can safely use Zoom to conduct business.

Here are some of the known Zoom risks and vulnerabilities, what they’ve done to fix them, and some of the best practices for using the platform.

Zoom Video Conferencing

Zoombombing

The Vulnerability

Think of Zoombombing like a picnic with friends in a park gazebo. The picnic is the meeting you’re trying to conduct over Zoom.

Now imagine some random person walking through that park gazebo and yelling profanities while you try to enjoy the company you’re with. That’s effectively what Zoombombing is. It’s the ability for someone to drop into your Zoom meeting unwarranted.

Yes, this is certainly a nuisance, but it’s not really all that dangerous. Zoom uses a formula to create meeting links, and if an attacker can happen to get the perfect combination of the link and joining at the right time, they’d be able to barge right in. Fortunately, if this does happen, it really only impacts that meeting and is not an indication that the account itself has been compromised.

Zoom’s Response

Zoom frankly handled this well. It was an easy thing for users to get up in arms about, and Zoom was quick to roll out some features that minimized this particular risk. These are a few of the most impactful ones:

  • New host controls were put in place which remove renaming options for attendees, allow hosts to easily report users, and limit who can screen share.
  • The waiting room is now on by default, meaning you only have to let in the people that are allowed to be there.
  • Meeting passwords are on by default. Now an attacker would have to be able to get the link and password correct to “Zoombomb.”

Best Practices

The meeting password is the most important part here. Long, complex passwords have always been one of the best ways to avoid compromise, and Zoom meetings are no different. Ask your Zoom owner to force meeting passwords as the default company-wide, and be sure you don’t turn them off if they’re required.

It’s not any more difficult for the user. The passwords are embedded in the link, so end users still just click the invite link in order to join.  Those joining by phone would need to key in the password on their phone before being allowed to join.

As always, report any suspicious activity to your internal security team and Zoom.

Windows Password Stealing & Windows Malware Injection

The Vulnerability

Zoom’s chat feature automatically created hyperlinks from typed URLs. But, it wasn’t just links to the internet that were hyperlinked. It was possible for attackers to steal Windows passwords and inject malware using the same functionality. A UNC path is a link directly to a file on a user’s device. The same way we can link directly to a site like google.com, we can link to files using a path like \\users\sampleuser\Documents\Outlook Files. Zoom’s chat feature also created these hyperlinks.

These paths are used commonly inside a network to refer to files on intranet hosts, but they are not restricted to internal network hosts. It is possible to use them to link to a file on a computer over the internet.

With Zoom allowing links to UNC paths in chat, an attacker could post a UNC link and capture hashed credentials when clicked. If the victim’s password was weak, then those hashed credentials could be cracked and compromised. Additionally, it is possible that a victim could run malicious software directly by clicking on one of these links. This acts no differently than someone clicking a malicious link and downloading/running the attacker’s software. The difference is that clicking the UNC link can download and run the file in a single action.

Zoom’s Response

This vulnerability was a bit over-sensationalized. Sharing a UNC path is not a vulnerability at all, because it’s just a link to a file. Users had to take the action of clicking a compromised link and entering their credentials for this to be exploited.

Plus, Zoom fixed this on their end quite quickly. UNC paths are no longer hyperlinked automatically in their chats.

Best Practices

Training is a critical component to avoiding compromise from situations like this. Ensure that your employees understand not to click on UNC path links, as these exist in many programs and are not often removed in the way Zoom did.

Additionally, password behavior is important here. The more complex a password is, the harder it would be for an attacker to crack the hash. Be sure to put strong password requirements in place, and train your employees on why good password hygiene is critical.

There are some technical changes you can implement to avoid compromise in this manner as well. A Server Message Block (SMB) is a network communication protocol, and Common Internet File System (CIFS) is a common implementation of SMB protocol. UNC uses SMB/CIFS to allow shared access to files and printers, mainly. There is almost never a need for SMB/CIFS to communicate outside your network, though, as it’s rarely required for internet usage. We recommend blocking SMB/CIFS on your firewall to minimize your risk.

Malware-like Behavior on Macs & A Backdoor for Mac Malware

Mac Malware

The Vulnerability

A backdoor is a stealthy method of bypassing normal authentication or encryption—in this case, a product like Zoom. Zoom did experience some malware-like behavior in their Mac client, but it was a limited vulnerability that seemed to only exist in Mac systems (devices) that were already compromised.

Zoom’s Response

Zoom has accounted for this vulnerability in an emergency patch.

Best Practices

Developers often push new security measures in their software updates. It’s critical that you don’t ignore software updates and patches for this reason. If you run Mac OS and have not checked for an update of Zoom recently (or turned automatic updates on), do so as soon as you can.

Additionally, this particular vulnerability was one predicated on already compromised systems. Businesses need to have measurements in place to prevent and detect vulnerabilities. Most obviously, a properly provisioned firewall is an effective way to do this, as they typically block all entry points to unauthorized users. At a minimum, it’s also important to also conduct regular scans on your systems and create guidelines for patching.

iOS Profile Sharing

The Vulnerability

Zoom had been using Facebook’s Software Development Kit (SDK) for their “Login with Facebook” feature. It was meant as a more convenient way for users to log in. This is actually pretty common practice on a lot of apps and sites, but Zoom fell short here on disclosing its Facebook SDK usage and what it meant for their users.

Primarily in doing so, Zoom was allowing Facebook to collect information on its users that wasn’t necessary for Zoom services. Facebook was able to collect information such as mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.

Zoom’s Response

Zoom’s response to this issue was fairly impressive. They quickly removed Facebook’s SDK in their iOS client, and they reconfigured the platform to still allow users to log in through Facebook without it.

They issued a statement about this that you can read here: https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/

Best Practices

Honestly, it would have been pretty hard to avoid this, given that Zoom basically failed to share what their “Login with Facebook” feature entailed.

This does serve as a good reminder to do your best to sift through usage agreements of the accounts you create. It’s important to understand what data the sites and apps you have accounts with are collecting and what they do with it. Legal departments are doing a better job understanding that terms of use don’t need to be a million pages to be more effective, too, so it’s becoming less daunting to do so.

Additionally, recognize that any time you integrate two accounts, the risk of compromise increases. It’s not that much more inconvenient to create a Zoom account and login with your email and a password—especially if you’re using a password manager.

Phony End-to-End Encryption

Data Encryption and File Transfer

The Vulnerability

This is much less of a vulnerability as it was a miscommunication of features by Zoom.

Zoom caused some confusion by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. The connections are encrypted if all attendees are using zoom clients, but the issue is that Zoom considers their servers to be a client. Traditionally, end-to-end encryption means that the company does not have any access to the encrypted connection.

Zoom’s Response

Zoom really didn’t have anything to “fix” here other than to clear the air. They issued a statement about their misrepresentation.

To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

Statement by Oded Gal on April 1, 2020

You can read their entire explanation here: https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

It does look like this will be rolled out in their May 30 Zoom 5.0 release, though.

Best Practices

Speak up when you’re confused! Reach out to a trusted expert if you have concerns or if you don’t understand what is being said. That doesn’t just go for Zoom, but with any app you give information to.

Email Address and Profile Photo Leaks

The Vulnerability

This is also not exactly a vulnerability, but it is a privacy concern. When joining a Zoom meeting, it appears that anyone can see the usernames, email addresses, and pictures of any other user with their same domain. The problem revolves around Zoom’s “Company Directory” feature in its desktop application. It’s very likely people with emails from Gmail, Proton Mail, Yahoo, etc. are not at the same company. So, while this is not a large risk, it has the potential to allow strangers to see your contact information.

Zoom’s Response

I have yet to see a response from Zoom specifically around their “Company Directory” feature, but this week they unveiled a new 90-day security plan on top of their big software release. The plan is to identify, address, and enhance the security and privacy capabilities of the Zoom platform. With the press this privacy concern is getting, it’s assumed that this will be something they’ll tackle.

Best Practices

Unfortunately, you can’t really do much to prevent this. At the end of the day, it’s important to do some vetting of the software you intend to use before deciding to pursue it. Understand how they use your information. Will they sell it? Can you request they remove your data, or can you download your data from them to see what they are collecting?  A lot of people won’t read the end-user license agreement, but these documents are important in telling you how willing you are to accept the risks associated with using the platform.

Sharing of Personal Data with Advertisers

Sharing Data with Advertisers and Facebook

The Vulnerability

Again, this isn’t as much of a security concern as it is a privacy issue. Nonetheless, it’s important to note. A data-mining feature in Zoom was allowing LinkedIn Premium subscribers to see information about other attendees without their knowledge.

LinkedIn Sales Navigator, a tool to help salespeople prospect, was included in a Zoom feature. When enabled, the user could quickly and covertly view LinkedIn profile data like locations, employer names, and job titles for the other people in the meeting.

Zoom’s Response

Zoom was very responsive to this. They issued a statement about how they take their users’ privacy “extremely seriously.” They’ve since removed LinkedIn Navigator entirely from the tool, proving that sentiment wasn’t just smoke and mirrors.

Best Practices

Similar to email and photo leaks, as well as the Facebook sign-on feature, it’s important to know what you’re agreeing to before you decide to move forward with an application or an account. What data are they collecting? Which apps are the integrating with? How does those two things impact one another?

There’s an inherent risk to putting information online. The more you can understand how organizations collect that data, what they do with it, and who they share it with, the easier it becomes for you to decide whether Zoom risk is acceptable to your business.

General Ways to Minimize Zoom Risk

Best Practices for Minimizing Zoom Risk

We’ve talked about a lot of ways to minimize your Zoom risk already, but they aren’t best practices just because of a known vulnerability. Using Zoom’s platform effectively means always understanding what risks exist in using the platform and always making sure that you do everything you can within the platform to minimize them—should you be willing to accept those risks.

Here are some things we recommend when using Zoom for your office:

  • Set screen sharing to “Host-Only” to prohibit undesired participant sharing.
  • Disable “Join Before Host” so participants can’t enter the meeting early. 
  • Disable private chat to avoid participant-to-participant communication.
  • Disable “File Transfer” so that if an unwanted visitor does join, they can’t share anything malicious.
  • Disable “Allow Removed Participants to Rejoin” so removed attendees can’t slip back in.
  • Enable “Mute Participants on Entry” to minimize distracting background noise and to avoid something unwanted being said accidentally.
  • Enable “Only Authenticated Users Can Join Meetings,” which will force users to sign into Zoom in order to participate.
  • Add a “Co-Host” if you are working with someone who can help moderate.
  • Utilize the “Waiting Room” feature (activated by default) to control attendees.
  • Set meeting passwords and make them as complex as possible.
  • Be aware of what’s in the background of your video. Don’t allow your webcam to catch any sensitive information.
  • Close all unnecessary windows before screen sharing to avoid accidentally showing sensitive emails or information. 
  • Only record meetings if absolutely necessary. Be mindful of the information in the recording and who you share it with.
  • Do not make your meeting links publicly available. This increases the chances that someone unwanted can join.
  • Do not post screenshots of your meeting on social media. This may lead to the oversharing of personal information.
  • Always report any suspicious activity to your security team and/or Zoom.

Doing these things will allow you to utilize Zoom in a manner that is relatively risk-averse for you and your organization.

Conclusion

There’s risk in using any platform. While Zoom has had some recent security concerns, they’ve handled them well, and they have features within the platform that doing a pretty good job limiting Zoom risk.

Understanding the Zoom risk, vulnerabilities that exist within the platform, how they handle privacy, and the best practices for using the platform securely make this a program that most companies will be willing to accept the risk to use. After all, businesses are in business to make money first and foremost, and we need to be able to adapt to the times in order to keep the doors open.

As long as we use it right, Zoom (and programs like it) can certainly help us do that.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *