Zoom Security Vulnerabilities

In: #attack

As if times haven’t been hard enough, businesses are dealing with new security threats while employees work from home and some have major issues with one of the most popular video conferencing platforms, Zoom.

When COVID-19 hit and lockdown was enforced, businesses had to find a secure and safe way to connect employees to keep operations running. Therefore, it’s no surprise that Zoom has seen a huge surge in users in the last few months. And what comes with an increase of users? An increase in potential attacks.

Does it surprise you to find out that this video app has become a target of Zoom bombers, privacy issues and security vulnerabilities? 

What is Zoom Bombing?

Zoom bombing is a disruptive or an unwanted intrusion by hackers and Internet trolls into a video conference call. In a normal Zoom bombing incident, a teleconferencing session is hijacked by the insertion of material that is obscene, lewd, racist or anti-Semitic, which may shutdown the session. The term is derived from the name of the video conferencing software program, but it has also been used to refer to the phenomenon on other video conferencing platforms. The term is well known after the COVID-19 pandemic forced many people to stay at home.

Zoom itself has tried to stop Zoom bombing through some high-level and advanced security upgrades and their “Report a User” feature. However, it still seems to fail as Zoom bombers are actively attacking the application. It’s time for Zoom to make some critical decisions before user trust is further exploited.

Over the past few months, the teleconference software Zoom has seen exponential growth. However, that growth has also come with a slew of uncovered security flaws. Many of the problems seem sloppier than malicious or sneaky. They make a billion-dollar company seem like it’s held together with a string.

Dubious Encryption 

That monitoring would be reduced if Zoom were encrypted end-to-end as the company claimed in marketing materials. Zoom uses some encryption but not the most secure end-to-end type. Some of the confusion stems from defining what an end is. Zoom seems to think that its servers count as such.

A Sketchy Installer

There was a problem with Zoom’s installer, which took over admin privileges to gain root access to the computer. That access may be abused to secretly install programs without the user’s knowledge, which includes the ability to access a user’s webcam and microphone. 

Questionable Routing

There are questions about where Zoom is sending the data it collects from your computer. Zoom was found to be sending data to Facebook, even if users do not log into their Facebook accounts. Zoom also apologized for mistakenly routing traffic through China, where the internet is monitored by the government. Most tech organizations operating in China have strict separations between domestic and international online traffic.

As many schools and business organizations push ahead with home-based learning initiatives and work from home amid the COVID-19 pandemic, Zoom has become the default application to facilitate online communication. Unfortunately, the platform has privacy issues and security vulnerabilities, which have no solutions at the moment. With that in mind, kindly observe these recommendations if you intend to continue using Zoom: 

  1. Download and Install Zoom from Official Source

Cybercriminals are taking advantage of the sudden popularity of Zoom to build phishing sites using Zoom-related domains and to create malware masquerading as Zoom installers. Download and install the latest official Zoom client from Apple App Store or Google Play. Ensure you do not click on any suspicious links from websites or emails.

  1. Guard Against Zoom-Bombing

Zoom-bombing is when someone gains unauthorized access to a Zoom meeting to harass the participants or to eavesdrop on the call. To prevent this, ensure that the required meeting password setting is always enabled.

  1. Don’t Share Your Personal Meeting ID

Each Zoom user is given a permanent PMI that is associated with their account. If you divulge your PMI to someone, they will always be able to check if there is a meeting in progress and potentially join in if a password is not configured. Instead of sharing your PMI, create a new meeting each time and only share it with the meeting attendees.

  1. Don’t Click on Suspicious Links in Zoom Chats 

Older versions of the Zoom Windows client have a security vulnerability in its chat feature which allows cyber attackers to steal the Windows credentials of users who click on a malicious link. Ensure you’re using the latest version of Zoom application. 

  1. Don’t Share Confidential Information 

All data transmitted during audio and video calls between the user and the service is encrypted. This is similar to online banking and prevents eavesdropping when you’re using unsecured WIFI. However, during certain Zoom calls, the data is not encrypted, which means that Zoom can potentially gain access to your audio and video calls. Kindly refrain from discussing confidential or sensitive topics while using Zoom.

Zoom has assured us that they are dedicating resources to better identify and fix issues. While that is happening, you can always use other video and audio communication applications that are available. 

In this article, we have examined the types of Zoom vulnerabilities and ways to prevent cyber attackers from gaining access to confidential information. Do you need help in managing vulnerabilities? If yes, contact the team of security experts at Vicarius today. 

Vicarius offers a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. You can utilize our product TOPIA for accurate cybersecurity and ensure your assets are well protected. You can check our product page to learn more about TOPIA.

Written by Kent Weigle

Leave a Reply


    See all

    Related Post

    Strong Cyber Hygiene is only One Click Away

    Want to take TOPIA for a free ride? Schedule A Meeting with our 🐺team!

    Let us know what would like to see 😀