Zoom plays fast and loose with definition of E2E encryption and exposes Windows login credentials and email addresses

by
Nathan Wasson
from Techreport on (#51K7Q)

We noted last Friday that Zoom's sudden rise in popularity brings with it a sudden increase in scrutiny, and the company has certainly been feeling the heat lately. We originally made that comment in the context of Motherboard's report that the Zoom iOS app had been sending user data to Facebook. Zoom, to its credit, acted quickly and removed the Facebook SDK from its iOS app. However, some new reports have come regarding further issues with Zoom.

The first of these reports is from The Intercept. Zoom's security page, security white paper (PDF), and app user interface all claim that Zoom meetings can be secured with end-to-end (E2E) encryption. However, when The Intercept reached out to Zoom to ask about its E2E encryption, a Zoom spokesperson said that "Currently, it is not possible to enable E2E encryption for Zoom video meetings." The Zoom spokesperson then made the following comment:

When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point.

articleimage.jpg

This usage of the term "end-to-end" is misleading because, as The Intercept points out, the supposed "end points" sit between the Zoom clients. The "ends" in E2E encryption are supposed to be the clients. While it is true that Zoom uses standard TLS to encrypt information sent between clients and the Zoom server, Zoom holds the key to decrypt this information once it reaches its servers, meaning Zoom can see the contents of your video calls. True E2E encryption necessitates that the service provider, Zoom in this case, does not hold the encryption key. The only feature of Zoom with true E2E encryption available is its text chat.

UNC-path-injection-example.jpg

Speaking of Zoom's text chat, BleepingComputer published a report, according to which, security researcher @_g0dmode discovered that Zoom's text chat on Windows is vulnerable to UNC path injection attacks. URLs as well as Windows networking UNC paths posted in the text chat are converted into hyperlinks. If a user clicks on a UNC path hyperlink, Windows will try to connect to the remote site and, in doing so, send the user's login name and password hash. The password hash can be cracked with free dehashing tools, most often in a short span of time, giving an attacker access to the user's Window login credentials.

Lastly, Motherboard reports that Zoom exposes the email addresses and profile photos of those who subscribe to Zoom with a non-standard email provider. Zoom has a "Company Directory" feature that automatically adds users with the same domain name in their email addresses as yours to your contact list. This feature helps people find their colleagues. Unfortunately, this feature seems to extent to those using non-standard email providers, as the feature simply checks the domain name in your email address against a blacklist of email providers maintained by Zoom. If your email provider's domain name does not appear in this blacklist, the email addresses, profile pictures, and status of all other users of that email provider who are subscribed to Zoom will appear in your contact list.

The post Zoom plays fast and loose with definition of E2E encryption and exposes Windows login credentials and email addresses appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments