Zoom admits meetings don't use end-to-end encryption
Video conferencing app Zoom does not use end-to-end encryption, according to reports, despite specifically stating that it does on its website.
Though Zoom offers users the option to “enable an end-to-end (E2E) encrypted meeting,” and provides a green padlock that claims “Zoom is using an end to end encrypted connection,” the company this week admitted that offers no such thing.
A spokesperson for the company told The Intercept that, despite its claims, it was "currently not possible" to enable end-to-end encryption for its video meetings.
Instead, the spokesperson revealed, the service uses Transport Layer Security (TLS) which encrypts data between user's meetings and Zoom's servers. End-to-end refers to data encrypted between calls, blocking out third parties - which includes the service provider. As a result, the company can see and use the data for things like targeted ads.
"When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the spokesperson added.
Part of Zoom's appeal to organisations is its simplicity and the fact it can be used for free, albeit without any premium features, which lets businesses try it out before forking out any money. "Video conferencing is a fantastic necessity in times like these but it is vitally important to understand the security and privacy concerns that go in parallel with this increasingly popular form of communication," said Jake Moore, a cyber security specialist for ESET. "For social and light business meetings they are fine as long as users realise what data is being shared by Zoom to third parties. I certainly wouldn't recommend using free software for sensitive or private meetings."
Unpatched Zoom App Bug Lets Hackers Steal Your Windows Password
According to the latest finding by cybersecurity expert @_g0dmode, which was also confirmed by researcher Matthew Hickey and Mohamed A. Baset, the Zoom client for Windows is vulnerable to the 'UNC path injection' vulnerability that could let remote attackers steal login credentials for victims' Windows systems.The attack involves the SMBRelay technique wherein Windows automatically exposes a user's login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it.
The attack is possible only because Zoom for Windows supports remote UNC paths, which converts such potentially insecure URLs into hyperlinks for recipients in a personal or group chat.
To steal the login credential of user running zoom for Windows, all an attacker needs to do is sent a crafted URL (i.e. \\x.x.x.x\abc_file) to the victim over its chat interface, as shown, and wait for the victim to click it once.
To be noted, the captured passwords are not plaintext, but a weak one can easily be cracked in seconds using password cracking tools like HashCat or John the Ripper.
In a shared environment, like office space, stolen login details can be reused immediately to compromise other users or IT resources and launch further attacks.
Besides stealing Windows credentials, the flaw can also be exploited to launch any program already present on a targeted computer or downloaded as part of the attacker's social engineering campaign.
Zoom has already been notified of this bug, but since the flaw has not yet been patched, users are advised to either use an alternative video conferencing software or Zoom in your web browser instead of the dedicated client app.
Source(s) & more info: Hacker News, ITPro
