Chris Kranky

Recent Posts

Zoom Security

Zoom faces it's first security crisis, how did the CEO respond?

Chris KoehnckeChris Koehncke

Within the tech security community, Zoom got called out today for a potential security vulnerability for the usage of the Mac webcam. Nothing strikes fear in a user’s heart than the notion their webcam is secretly watching them. This fear is so great that users install plastic little covers to slide over the webcam and newer laptops of often have an embedded physical cover.

The headline “Zoom Communications can access your webcam without your knowledge” is fodder for a USAToday article.

With the posting of Jonathan Leitschuh blog article today the pin was pulled to potentially become a huge PR disaster for Zoom. What did Eric Yuan do as CEO to counter this? He joined a Zoom conference call with 250 security hackers!

Calmly, thoughtfully and with respect, he patiently responded to the group in technical terms. Eric is an engineer after all! Hard to imagine the CEO of a public company with a $25 billion market cap joining without a cadre of lawyers in tow. Solid move and the security group clearly respected the move by Eric.

Eric Yuan 3rd from left

The clickbait blog article clearly was heart stopping for the CEO of any public company (particularly as it was early in the trading day). This article wasn’t drop bombed on Zoom. Rather the security group had informed Zoom of their findings as far back early March 2019.

Let’s dial this back a notch to try and understand what the real issues are. Zoom has long focused on making the application work fast and flawlessly. To enable this capability, they have to do some under the hood engineering moves.

Zoom allows you to use a standard URL to start a video conference. We’ve all done it. You click a link, a web page momentarily opens and then the Zoom client starts. Works well and frankly, I like how it operates.

However, if you take this same link and embed it into your own website and hide it — any Mac user visiting that page will immediately get a Zoom conference launched. Worse, if I set up the link properly, I can force YOUR video to start immediately showing me your camera. There might be a great reason I would legitimately want to do this, but like all good things, there is a dark side as well.

Similarly, if I were living on the darker side, I could create a Zoom link, embed into my dark website and create a denial of service attack on your computer. Oh, joy! (note this has been patched in the current version).

To make matters worse, the security team discovered the Zoom client was running a small web server on your Mac (note the blog article is Mac focused). This tiny web service was deployed to assist in downloading the Zoom client and start of a Zoom session. Zoom indicates they implemented this server to get around limitations that Apple Safari imposed. Unfortunately, if a handful of things go wrong, this server could be exploited for darker purposes. Having any web server just idling running on your computer is mostly a bad idea.

Are these serious problems?

Yes and no. The blog headlines seem to say blast this is a major problem. In reality, the worse that happens is the Zoom app opens and your camera light comes on. Clearly, this could be surprising and you might well not notice if distracted.

Independent security experts are a mixed blessing for any CEO. They often find things that are a legitimate concern for protecting the user. The Zero Day Initiative Group has a well-prescribed 120-day to cure before going public with their findings. Unfortunately for Zoom, today was day ZERO.

Eric Yuan’s bold and immediate reaction is noteworthy. But the question is where were Zoom’s security team in the last 120 days? Why did it get to day ZERO before the CEO himself had to intervene? These are no doubt questions Zoom internally is trying to answer today.

Zoom remains a valuable communications application that works well so that even a novice can utilize it. With it’s expanding popularity though, it becomes a playground for hackers to exploit. Novice users are easily exploited so it’s in Zoom’s best interest to take seriously these security concerns.

Note: Following broad news today, true to form, Zoom quickly released a patch to address bulk of issues with Mac. Current release Version: 4.4.4 (53932.0709)