Zoom is seeing increased usage, exposing its major security flaws

posted Saturday Apr 4, 2020 by Scott Ertz

Teleconferencing platform Zoom has been around for a few years, but it has gained popularity care of the current work from home scenario. While there's a lot of excitement around the app, there isn't anything particularly special about it. That is assuming you don't consider the constant and massive security issue in the platform.

Since the increased usage, new security issues have been discovered. The biggest issue is inherent in the design of the platform. Being referred to as zoombombing or zoom-bombing, it involves people who are not supposed to be part of a Zoom call joining the call and causing havoc. This can be done one of two ways. The most common is by randomly entering numbers until a call opens. This means that the bomber doesn't know what they are getting into but can still start posting inappropriate comments and photos. Even before the current environment, I have been involved in Zoom calls that had been zoombombed.

A more targeted but limited attack surface is by watching the social media feeds of people who don't know how to use the internet. This has included prime ministers and other government officials, corporate executives, etc. These people share photos or screenshots of their Zoom conferences in some misguided attempt to look like they are still doing work in the wake of COVID-19. However, what they are doing is exposing the conference ID for their call, making it easy for anyone to join and disrupt.

In addition to posting inappropriate content, bombers were taking advantage of another issue in the Zoom platform. By including a malicious link into the chat of these random or targeted conferences, bombers were able to gain access to security information on the user's computer. That information includes computer passwords, in many cases exposing an entire computer network to vulnerability. By gaining access to a corporate or government user's credentials, an extended level of damage can be created. After extended knowledge of the issue, the company finally patched the flaw once the issue was publicly covered by tech publications.

This is not the first time Zoom has had serious security issues. Last year, another security vulnerability was discovered which allowed attackers to activate a Zoom call on another user's computer with the camera activated without the user's permission or knowledge. The issue only affected users of Zoom on macOS but was knowingly exploited.

Because the company is so susceptible to security and privacy violations, I have repeatedly recommended that people use another platform. There are plenty of other, better services that provide the same capability without the problems we see with Zoom. Try Skype, Teams, Slack, Google Hangouts, or Facebook Messenger instead.

F5 Live: Refreshing Technology

April 5, 2020 - Episode 557

Sunday Apr 5, 2020 (01:16:23)

Description

This week, Sprint is gone for good, Humvees are here to stay, and the Apple Tax has been temporarily suspended.

Participants

Scott Ertz

Host

Scott is a developer who has worked on projects of varying sizes, including all of the PLUGHITZ Corporation properties. He is also known in the gaming world for his time supporting the rhythm game community, through DDRLover and hosting tournaments throughout the Tampa Bay Area. Currently, when he is not working on software projects or hosting F5 Live: Refreshing Technology, Scott can often be found returning to his high school days working with the Foundation for Inspiration and Recognition of Science and Technology (FIRST), mentoring teams and helping with ROBOTICON Tampa Bay. He has also helped found a student software learning group, the ASCII Warriors, currently housed at AMRoC Fab Lab.

Avram Piltch

Host

Avram's been in love with PCs since he played original Castle Wolfenstein on an Apple II+. Before joining Tom's Hardware, for 10 years, he served as Online Editorial Director for sister sites Tom's Guide and Laptop Mag, where he programmed the CMS and many of the benchmarks. When he's not editing, writing or stumbling around trade show halls, you'll find him building Arduino robots with his son and watching every single superhero show on the CW.

Opening

Powered by TeknoAXE

Nifty Gifties

Powered by Microsoft Store

Sprint is no more, as T-Mobile merger is officially completed

It's been three years since the initial rumors of a Sprint/T-Mobile merger surfaced. Over six months ago, the companies received Department of Justice approval for the merger, having already secured FCC approval. It was not a done deal, however, as Attorneys General from fourteen states filed a suit to stop the merger, but all states except California have now approved it. As such, the companies have officially completed the merger, marking the end of the Sprint brand.

Piltch Point with Avram Piltch

Powered by PureVPN

Extra Life

Powered by Razer

Activision can use Humvee in its games care of the First Amendment

The Humvee is an iconic vehicle, especially regarding wartime imagery. Because of this, Activision has featured the vehicle in many of its Call of Duty titles over the years. Since the intention of the company's popular games is to replicate the environments and experiences of the battles that they represent, it is a logical move to include these vehicles. Unfortunately for Activision, AMG, who holds the trademark on the design, did not believe that including the vehicles in the games was in compliance with the law.

News From the Tubes

Powered by RiffTrax