On one hand, people are flocking to the video conferencing service in droves to chat with friends or join virtual business meetings. On the other, Zoom is under the spotlight like never before, and its skeletons are being revealed.
Zoom, the videoconferencing app whose traffic has surged during the coronavirus pandemic, is under scrutiny by the New York attorney general’s office for its data privacy and security practices https://t.co/qTdGTLsJ2D
— The New York Times (@nytimes) March 31, 2020
It started when The Intercept published a report questioning the company’s advertised end-to-end encryption. In reality, the faux-encryption stops with Zoom, so staff members could theoretically view your content or Zoom could be compelled to turn your content over to law enforcement.
Now security researchers have discovered that attackers can use the Zoom Windows client group chat to share links that leak Windows network credentials. Like most video conferencing apps, Zoom has a chat feature that lets you send messages to anyone on the call. When you post a URL, it automatically transforms into a hyperlink so participants can quickly access the site.
End to end encryption normally means that no outsider has access to any conversations taking place within the app but it appears that Zoom is using its own definition of the term. As it turns out, App itself has access to both video and audio being exchanged in a conference at all times.
A Zoom spokesperson said “currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.
This type of encryption is known as transport encryption and it is different from E2E. This means that audio and video content on Zoom will stay private from anyone spying on the WiFi but won’t be private for the company. However, Zoom does claim that they do not have access to or sell personal user data.
Although App is offering reliability in terms of usage, the fact that they lack E2E despite proudly marketing it everywhere raises a lot of concern for millions of users around the globe depending on the platform for their work.
How Zoom can protect users?
There is an easy solution for this security vulnerability: don’t turn UNC paths into clickable hyperlinks. If the potentially malicious path doesn’t turn blue in the chat, people will be less inclined to see where it leads.
“Zoom should not render UNC paths as hyperlinks is the fix, I have notified App as I disclosed it on Twitter,” security research Matthew Hickey told analysts.
Zoom hasn’t acknowledged the problem, so your best bet is to follow Microsoft’s instructions for restricting NTLM traffic to remote servers to prevent UNC link attacks in Zoom.