Zoom is once again criticized for serious security vulnerabilities. For one thing, hackers were recently able to hijack Windows accounts via Zoom, now it seems most people have a video conference without password which is unsecure.
The video conference tool Zoom has gained tremendous popularity since coronacrisis epidemic started. At the same time, attacks by cybercriminals and criticism by data protectionists increased. Accordingly, Zoom boss Eric Yuan said on Wednesday that the company would focus on security patches and bug fixes in the coming months. The development of new functions for the app are on hold for now. Two current security gaps show how important this is.
Zoom gap allowed access to sensitive data
In one vulnerability, hackers were said to have had the opportunity to access sensitive data and emails until the gap was closed on Wednesday. IT security expert Matthew Hickey previously said he had managed to intercept a Zoom user’s username and Windows password. He had been able to transfer this to a server he controlled without being noticed. The attack was fairly easy to carry out, Hickey said.
Hickey, who works for the IT company Hacker House, was able to replicate this attack within 30 minutes time. Users who had company computers were particularly at risk.
Most people use Zoom to have a video conference without password
The popular security researcher Brian Krebs reported another problem on his blog Krebsonsecurity. According to him, so-called zoom bombing is also possible primarily because of inadequate password protection. Zoom bombing refers to the undesired entrance of strangers into a Zoom conference.
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3 pic.twitter.com/h0vB1Cp9Tb
— briankrebs (@briankrebs) April 2, 2020
According to Krebs, the Z-War-Dial tool, which can detect Zoom video conferences not protected by a password, is currently said to find around 100 such meetings per hour. The tool can not find password-protected Zoom video conferences. The problem lies on the one hand with inattentive users who forget to secure their meeting accordingly. On the other hand, there also seems to be a problem with Zoom. Because the tool should actually assign an automatic password – in many cases this does not seem to work, according to Krebs.