As the coronavirus pandemic continues to spread in over 204 countries, institutions and offices all over the world have opted to operate from homes. Due to the pandemic, Zoom, the popular video call service had gained millions of users in the last few months. However, the app also has a history of privacy and security issues such as webcam hijacking, not providing end-to-end encryption and sending user data over to Facebook.
TechCrunch recently reported a few new flaws in the app’s security. Ex-NSA hacker Patrick Wardle has reported his recent findings of Zoom’s lack of security in his detailed blog, “The ‘S’ in Zoom, Stands for Security”. He talked about two new bugs in Zoom on macOS which makes Macs vulnerable to webcam and mic takeovers again, as well as the probability of gaining root access. Through a local attack, the hacker may be able to gain root access to a user’s Mac through Zoom.
Wardle describes the process in technical detail in his blog and states,
“To exploit Zoom, a local non-privileged attacker can simply replace or subvert the runwithroot script during an install (or upgrade?) to gain root access.”
The security researcher also uncovered a second flaw which allowed access to Mac’s camera and mic, with the ability to record the screen without a user prompt. He states:
“Unfortunately, Zoom has (for reasons unbeknown to me), a specific “exclusion” that allows malicious code to be injected into its process space, where said code can piggy-back omff Zoom’s (mic and camera) access! This give malicious code a way to either record Zoom meetings, or worse, access the mic and camera at arbitrary ties (without the user access prompt)!”
Zoom has fixed its bugs and issued an apology. The app team responded to all its recent privacy concerns with a blog post and has issued a plan for 90 days to improve their service.
“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust”, says zoom.