Skip to main content

The Cybersecurity Problems with Zoom Video App

By April 1, 2020April 20th, 2020Blog, Security

Zoom video communications app cybersecurity telecommuting software conronavirus UNC RCE

The Zoom video communications app has had a documented history of cybersecurity concerns, but the rush to adopt conferencing software for telecommuting has brought these issues back to the forefront. As the COVID-19 shutdown forces everyone to practice social distancing, many have flocked to these types of applications for remote work or personal use. The surge in downloads have only exacerbated the persistent security gaps in the platform to the point where many institutions are questioning its installation on their networked computers.

Universal Naming Convention and Remote Code Vulnerabilities

The vulnerabilities in Zoom mostly center around poor data security controls, including several serious examples in both Windows and MacOS machines. Many of these come from remote code or other external pathways that provide easy network backdoors for hackers to exploit. SWK previously reported on the RCE (remote code execution) bug putting nearly a million Apple computers at risk in 2019, but the Universal Naming Convention (UNC) error in Microsoft devices could expose exponentially more Zoom users.

The UNC vulnerability essentially creates a file path from a hyperlink in the chatbox to a remote site protocol, which is relatively easy to hack once it’s sent out. Though Zoom is releasing a patch, the bug has put the tens of millions of Windows users running the app every day at risk already. In fact, it is likely that this vulnerability, or something very similar, is the exploit that led to the surge of “Zoombombing” recently.

Zoom Data Mining for LinkedIn and Facebook

Though not technically falling into the category of hacking, additional irregularities were found in the video app’s user information controls, namely data mining for social media platforms. Zoom was found on separate occasions to be silently and automatically providing personal details to both LinkedIn and Facebook – without the user’s permission, or even without the presence of a connected social profile.

What makes this practice suspect, and potentially illicit, is that there was little to no mention of this type of third-party file sharing in Zoom’s privacy policy. Such a trend does not bode well for the program’s security posture overall, either, as it reflects similar red flags that proceeded the FaceApp scandal.

Misleading Messaging and Online Meeting Encryption Claims

Suspicion around Zoom does not end at the data mining and remote access bugs – their entire cybersecurity approach is coming into question with the discovery of misleading encryption claims. Despite attributed end-to-end (E2E) encrypting for meetings and messages made through the platform, Zoom was forced to admit that it was a technological impossibility for the app. The encryption service that it actually uses is the same as a standard web browser, but more importantly, it gave the company open access to user data.

video conference software zoom data breach privacy cybersecurity covid-19


Governments and Companies Blocking Zoom Video App Use

Given all the above and many other security vulnerabilities and bad practice by Zoom besides, the video app’s use has come under heavy scrutiny. Private businesses and public agencies have questioned whether the software is secure enough to use for their customers and constituents. Some companies and whole governments have even gone as far as to ban its internal use totally, including the Singapore school system, the government of Taiwan, and tech giant Google.

Weak Service and App Cybersecurity Puts Passwords at Risk

Zoom joins a long line of web applications and services that have been caught promising the moon when it comes to cybersecurity, only to leave their customers ignorant of and exposed to cyber threats. Oftentimes developers and providers will not properly communicate all the dangers consumers face from hackers, and even they may not be aware of every bug in their products or gaps in the network. Zoom’s CEO has at least admitted to the company’s security failings, but their reputation is permanently scarred as the lid has been lifted off for how weak their cybersecurity commitment has been.

Let SWK Provide an Extra Layer of Cybersecurity

Zoom, Ring, and even your smartphone’s OS – these vulnerabilities are popping up all the time because security postures have still not caught up to technology. You can no longer afford to rely just on a login and password to protect your network – you need to have multiple layers of cyber defense to protect yourself from all of the threats out there.

Talk to the experts SWK Technologies and find out how our service can improve your cybersecurity stance against hackers, especially during COVID-19.

FormCraft - WordPress form builder