Skip to content

Instantly share code, notes, and snippets.

@typokign
Last active September 8, 2023 05:06
Show Gist options
  • Save typokign/dd2480f195f5b48a9ab7af8b41c21404 to your computer and use it in GitHub Desktop.
Save typokign/dd2480f195f5b48a9ab7af8b41c21404 to your computer and use it in GitHub Desktop.
Zoom Sucks

Zoom Sucks

  • Zoom abuses the installer flow on MacOS to bypass permissions dialogs (source)
  • Zoom sends identifying device info to Facebook, even when users don't have a Facebook account (source) (fixed)
  • A bug in Zoom sent identifying information (including email addresses and profile pictures) of thousands of users to strangers (source)
  • Zoom claims that meetings are end-to-end encrypted in their white paper and marketing materials, but meetings are only encrypted in transit, and are available in plaintext to Zoom servers and employees. (source)
  • zoomAutenticationTool can be used to escalate privileges of arbitrary scripts/programs (source)
  • Another method of privilege escalation involving the AuthorizationExecuteWithPrivileges API during the installation process (source)
  • Zoom browser extension grants unnecessary access to full browser history (source)
  • Zoom browser extension has unrestricted TCP access on 0.0.0.0 (source)
  • Zoom MacOS client runs an insecure local web server to bypass standard app URI flows. This web server can be abused to initiate video/audio recording without the user's consent (source)
  • Zoom Windows client can be used to send SMB network share credentials to an attacker (source)
  • Zoom MacOS client specifically disables library validation, allowing attacker libraries to be loaded into its address space (source)
  • Zoom lies about using AES-256 encryption. In fact, Zoom uses AES-128 (which is less secure) in ECB mode (which is dangerously insecure) (source) (fixed)
  • A bug in Zoom routed calls from North America and Europe through Chinese datacenters, against Zoom's promise that meetings are only routed through the jurisdictions of the meeting's participants (source)
  • Facebook sign-in can be added to any account without email confirmation, allowing complete control over the account to an attacker (source) (fixed)
  • The Zoom client uses a number of outdated, vulnerable libraries (source)
  • Zoom uses a constant passphrase and IV when encrypting Apple Airplay screen shares (source)
  • Zoom's in-development "true" end-to-end encryption will only be available for corporate clients, so that Zoom can continue surveillance of free users (source)
  • An attacker can perform arbitrary file writes to lead to an RCE by abusing the message schema for sending animated GIFs (source) (fixed)
  • An attacker can similarly perform arbitrary file writes/RCE by abusing the message schema for code snippets (source) (fixed)
  • A zero-day in the Zoom Windows client allowed RCE when a user starts video in an attacker-controlled call (source)
  • Low meeting password entropy, combined with a lack of rate-limiting, makes it incredibly easy to brute force meeting passwords (source)

Zoom Devices

Zoom devices include smart TVs, tablets, and smart cameras. Most of these devices include cameras and microphones and are typically installed within line of sight and earshot of sensitive conversations.

  • Zoom devices (such as smart cameras and tablets) downloaded unsigned firmware updates over HTTP, leaving them vulnerable to man in the middle attacks (fixed)
  • Zoom devices run Linux 2.6.2, with 600+ reported vulnerabilities as of March 2020
  • Zoom device bootloader is unlocked, allowing root shell access during boot
  • Root password is set to default

Source

These Aren't New

There's a common misconception that Zoom's recent explosion in popularity has left them unfairly blindsided by unreasonable scrutiny from the security community. This isn't true. Zoom has spent years building a reputation within the security community for being unresponsive to vulnerability reports, stingy on paying out bug bounties, and in general not showing a strong commitment to security. While recent comments from CEO Eric Yuan are reassuring and we hope this marks a shift in Zoom's priorities, they are not victims - these vulnerabilities are a product of their own negligence, and nothing else.

If you find any reports of vulnerabilities, past or present, that are not listed above please leave a comment below.

Thanks to @lrvick, @jnaulty, @matthieuxyz, @MacroChip, and the #! community for help compiling this list.

@jnaulty
Copy link

jnaulty commented Jun 3, 2020

https://www.bloomberg.com/news/articles/2020-06-02/zoom-transforms-hype-into-huge-jump-in-sales-customers

Corporate clients will get access to Zoom’s end-to-end encryption service now being developed, but Yuan said free users won’t enjoy that level of privacy, which makes it impossible for third parties to decipher communications.
...
“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said on the call.

@weeklyd3
Copy link

weeklyd3 commented Jan 9, 2022

Ugh. I'm in a Zoom meeting right now and I feel like leaving after reading this list.

@jnaulty
Copy link

jnaulty commented Jan 11, 2023

@typokign
New year, new zoom vulns! 🍾 🥳
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment