Coronavirus Brings Zoom Security Flaws to the Fore

There is a sudden surge of traffic on online collaboration tools as employees work from home, schools commence new academic sessions through online classes, and everyone is now interacting online. Zoom, in particular, has become popular with the number of users rising to 200 million in March 2020 from about 10 million in December 2019. However, the tool has also drawn a lot of criticism after numerous security vulnerabilities came to the fore.

Too many Zoom security flaws

As online activity increases, Zoom has become a happy hunting ground for cyber criminals. From stealing login credentials to hijacking user devices, taking control of a user's microphone and webcam, and infecting Zoom's installer program with malicious code to install malware, cyber criminals are having a field day exploiting the security flaws. To make matters worse, the compromised accounts—complete with details including meeting IDs, email IDs, passwords, hostnames, and so forth—are available for purchase on the dark web.

Not only can video-enabled calls on Macs be opened using any website, but video calls are also being routed through Chinese servers, connected to systems in China, and are available for public viewing! Further, video calls can be Zoom-bombed with AI-generated faces.

With many zero-day exploits being discovered, cyber criminals are looking for vulnerabilities to sell to the highest bidders in bug bounty programs. As a result, the bug bounty rewards have risen significantly and cyber criminals are selling their exploits for anywhere between $5,000 and $30,000.

Bans and lawsuits

As a fallout of the security vulnerabilities, there have been at least four lawsuits filed against Zoom—till the time of writing this post—accusing the company of inadequate security and data protection measures, not providing the promised end-to-end data encryption, and transferring data to Facebook without user consent. Many companies—including Google and SpaceX—have asked their employees to stop using Zoom for all official purposes. School districts, too, have banned the use of Zoom for teaching purposes.

Zoom apologizes and is addressing issues

Zoom has apologized for all the security vulnerabilities in its video-conferencing tool. According to the company, the tool was primarily built for enterprise users and it was not ready for the challenges that a sudden surge in users—both enterprise and individual—moving online would bring. However, to address the security vulnerabilities, the company has announced that currently, it is focusing all its efforts on identifying and fixing the bugs.

The company has already disabled data sharing with Facebook. The engineering department is now working on the security and safety of the tool. The company has also formed a chief information and security officer council and advisory board.

The article has been written by Neetu Katyal, Content and Marketing Consultant

She can be reached on LinkedIn.