Zoom continues to be talked about for privacy reasons: the group video calling app, whose popularity has skyrocketed in recent weeks due to quarantine. Motherboard has found that in some circumstances users can view the personal data of perfect strangers, and in the meantime the Zoom Bombing phenomenon – in which unauthorized people manage to sneak into others' video conferences by disturbing them in various ways.
ESCAPE OF PERSONAL DATA
The violation of privacy is caused by the function Company Directory, which allows a user to view the general information (name, surname, photo, email) of all his colleagues. To do it, Zoom shows the user all contacts with the same domain as his email address (the part after the @, to understand us), excluding however those who have emails registered with public domains, such as Gmail.com or Live.com. The problem lies precisely in these filters, which do not seem to be completely complete.
Who do you register with little-used public mails – or in any case not filtered by Zoom – is likely to see all users of the app who use the same email service. For example, a user has provided a Motherboard the screenshot of his list of "colleagues" (actually perfect strangers) which counted nearly 1,000 people. The absence of filters from three very popular domains in the Netherlands has been confirmed, such as xs4all.nl, dds.nl and quicknet.nl, which can be compared to our fastweb.it or libero.it. Zoom said that the filters are constantly being updated and thanked for the report, but the problem is that in the meantime there has been a violation.
Zoom's official website says all group video calls are secured by end-to-end encryption, however an investigation by The Intercept revealed that this is not the case. The service uses TLS encryption, the same as the HTTPS protocol: in essence, it means that the data is encrypted in the transport from the users' devices to the company's server, but on the servers they are stored "in the clear". Commonly, end-to-end encryption means that only the recipient of the message has the key to decrypt and read it.
Contacted for clarification, Zoom said that its indication is not misleading because it treats the company's servers as an endpoint. In practice, however, given the protocols used and the data transfer mechanism analyzed, the level of security is the same offered by services such as Gmail or Facebook. Zoom says that no one, including employees, can access the content produced by the user, but this is not the point: the point is that, if desired, or being obliged, that content could read it. Simplifying enormously: if a hacker (or a government) wanted to spy on a meeting, with Zoom it could, while with services based on "real" E2E no.
End-to-end encryption is extremely difficult to do in a group video call, and in fact practically no service offers it: if Zoom says yes, and instead turns up it does exactly like everyone else, not only deceives the user , but it hurts competitors.
The phenomenon of sneaking into the video conferencing of others has become so widespread, especially in the USA, that it deserves its personal neologism … And what's worse, the attentions of the attorney general of New York, who is investigating the matter and who asked the company to better protect those who use the service. The FBI has also released a statement to warn users.
The bottom line is that by default anyone who participates can share their screen, which opened up a whole Pandora's box of trolls that connect to share inappropriate, pornographic or hate speech images and videos. Zoom allows you to password protect meetings, but it is an optional step; and in any case it would not solve the problem in case of public meetings, such as those organized in these days of quarantine by major brands in America that also involved celebrities from the show.
By the way, the URL of the meetings is one simple numerical sequence between 9 and 11 digits, so with a little persistence it is not even impossible to go random until you are lucky. Even threads and private groups dedicated to sharing links to unprotected Zoom meetings were organized on the Net.
THEFT OF WINDOWS CREDENTIALS
Just in the last hours one has emerged vulnerability through which a hacker could steal access data to a Windows 10 computer. It is related to URLs that are shared in text chat, which are converted into user-clickable links, as is common practice. The problem is that Windows network paths are also transformed into clickable links, such as \ server folder shared. Windows still tries to connect through the SMB protocol: in the process, password and username hashes are sent, which can be decrypted in seconds using free tools easily available online.
Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
– Hacker Fantastic (@hackerfantastic) March 31, 2020
The same vulnerability can also be exploited to launch programs remotely, using 127.0.0.1 (i.e. the address of the machine itself) as the server address. For example: \ 127.0.0.1 C $ windows system32 calc.exe run the calculator (this string works even if you enter it in the Run prompt, which can be called up by pressing the Windows key and R). At least Windows shows a confirmation prompt first, but it is clear that the vulnerability needs to be addressed. Waiting for an official solution, you can limit the damage using the registry editor:
- Launch Regedit in administrator mode (right click on the application and choose the appropriate item from the context menu)
- Go to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Lsa MSV1_0
- Create a DWORD key called RestrictSendingNTLMTraffic
- Set the value to 2
- Save and close. Restart is not necessary in theory, but you never know.
Just last week, Motherboard had always found that out the official iOS app sent data to Facebook without users knowing about it (you didn't even need an active Facebook account, actually). The problem, immediately corrected, lay in the implementation of the "Login with Facebook" functionality: it has now been modified to be less invasive. A few days before, EFF had criticized the platform because those who organize a meeting can view a lot of non-essential information on who attends, including:
- IP address
- whether or not the Zoom window is in the foreground
- device model used for connection