Zoom has been in the news for the reason that video calling platform does not feature end to end encryption (E2E) despite marketing it everywhere. This allows Zoom to have access to the audio and video in a private video conference even though it claims not to.
CNN: NYC schools dropping Zoom because of security concerns.https://t.co/RWCRNmupeA
Don't try 🙏
— Sano (@sanokhan53) April 7, 2020
Zoom CEO Eric Yuan has responded to the situation admitting that he and his team have had missteps with the company’s video conferencing platform. He appeared in an interview with CNN with a background image of heart-shaped earth that said: “we care”.
In the interview with CNN’s chief media correspondent Brian Stelter, he said, “We moved too fast… and we had some missteps. We’ve learned our lessons and we’ve taken a step back to focus on privacy and security.”
He added that the team is now working tooth and nail to win its users back. Last week, Zoom had announced that they are pausing feature updates on their application to focus more on privacy and security and that improvements will not be too far.
GVS recently reported that Zoom is under the spotlight like never before, and its skeletons are being revealed. It started when The Intercept published a report questioning the company’s advertised end-to-end encryption.
In reality, the faux-encryption stops with Zoom, so staff members could theoretically view your content or App could be compelled to turn your content over to law enforcement.
Now security researchers have discovered that attackers can use the Zoom Windows client group chat to share links that leak Windows network credentials. Like most video conferencing apps, Zoom has a chat feature that lets the users send messages to anyone on the call. When you post a URL, it automatically transforms into a hyperlink so participants can quickly access the site.
Zoom hasn’t acknowledged the problem, so your best bet is to follow Microsoft’s instructions for restricting NTLM traffic to remote servers to prevent UNC link attacks
End to end encryption normally means that no outsider has access to any conversations taking place within the app but it appears that Zoom is using its own definition of the term. As it turns out, App itself has access to both video and audio being exchanged in a conference at all times.
A-Zoom spokesperson said “currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
TCP connections are made using Transport Layer Security (TLS) and UDP connections are encrypted with an Advanced Encryption Standard (AES) using a key negotiated over a TLS connection.
How Zoom can protect users?
There is an easy solution for this security vulnerability: Don’t turn Universal Naming Convention (UNC) paths into clickable hyperlinks. If the potentially malicious path doesn’t turn blue in the chat, people will be less inclined to see where it leads.
“Zoom should not render UNC paths as hyperlinks are fixed, I have notified App as I disclosed it on Twitter,” security research Matthew Hickey told analysts.
Zoom hasn’t acknowledged the problem, so your best bet is to follow Microsoft’s instructions for restricting NTLM traffic to remote servers to prevent UNC link attacks in Zoom.