Zoom could be stealing your Windows password, hacking your webcam

Video calling app Zoom has announced it will be freezing product development to focus on boosting the security of its services following seveal high-profile security issues.

The app has seen an explosion in users over the past few weeks as workers around the world embrace a new era of working from home, but now its security protection is being called into question.

In a blog post, Zoom CEO Eric S. Yuan revealed it saw 200 million daily meeting participants in March, a huge rise from the 10 million daily users it welcomed in December.

• SEC steps in to prevent investors from buying the wrong Zoom
• Concerned about Zoom security? Here’s how using a VPN can keep you more secure
• Also check out our roundup of the best encrypted instant messaging apps

However this surge in users also meant that Zoom has since attracted a lot of attention from security researchers and cybercriminals alike, with a number of worrying security flaws affecting Windows and Mac devices uncovered.

On Windows devices, one expert found that criminals could exploit a flaw in the Zoom chat feature to steal login details. Speaking on Twitter, the researcher known as @_godmode outlined how the part of Zoom’s chat feature that converts URLs into hyperlinks can also do the same for Windows networking UNC paths, turning them into a clickable link that if accessed, could reveal login information.

Another expert revealed two bugs affecting Zoom on Apple Mac devices. One flaw would allow criminals to hijack a victims device, one of which exploited Zoom’s access rights on a device to give hackers control of the webcam and microphone.

A seperate flaw discovered by the same security researcher, Patrick Wardle, could allow a hacker to inject malicious code into Zoom’s installer program, giving access to the device’s operating system and allowing them to install malware without the victimnoticing.

Zoom was also criticised earlier this week after it was discovered that the app does not offer end-to-end encryption, as promised on its website. Instead, it uses Transport encryption, a Transport Layer Security (TLS) protocol which means that although others won’t be able to access your data, Zoom will still be able to.

This has all led Zoom to change tack, and Yuan says that the company will now look to focus on improving the security and privacy aspects of the app before developing new features.

“Our platform was built primarily for enterprise customers,” Yuan said. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively,” Yuan added . “We are also committed to being transparent throughout this process.”

Zoom’s entire engineering team will now pivot to working on safety and security, with the company also planning a “comprehensive” review of its services along with third-parties.

• Looking for a Zoom alternative? Here’s the best video conferencing software around today

Via Bleeping Computer / CityAM