A silver lining during the coronavirus crisis for video conferencing software maker Zoom is that demand for its product is up, as millions of Americans staying at home during the coronavirus crisis have relied on the service to stay connected with family, friends and co-workers.
But the downside for that burgeoning growth in users and usage is that Zoom has become a target for wrongdoers and potential hackers.
Uninvited guests who are “zoom-bombing” online gatherings on Zoom have become a big enough problem that the Federal Bureau of Investigation is on the case. And Zoom reportedly had to update its software recently to prevent it from sending data from iOS device users to Facebook.
Now, Zoom faces two additional security flaws that could be used to hijack a Zoom user’s Mac computer and access the webcam and microphone. Patrick Wardle, a former NSA hacker who now works with Jamf, an Apple enterprise management software firm, revealed the bugs on his blog, first reported on by TechCrunch.
Even though Zoom has become popular and critical, Wardle says, “if you value either your (cyber) security or privacy, you may want to think twice about using (the macOS version of) the app.”
Connectivity crunch:Those without broadband struggle in nation stuck at home because of coronavirus
From Apple to Zoom:How to stay connected with your friends with video chats
This new Mac vulnerability can work similarly to a malicious app uploaded onto your phone to get inside, for example, a banking app and control it, says Zack Allen, director of threat intelligence at cybersecurity firm ZeroFOX. Another weakness could let an attacker get access to your online meeting and send messages to attendees that, if clicked, would install malware on your computer, he says.
Zoom has other security issues reported recently. A flaw identified by Matthew Hickey of cybersecurity firm Hacker House, and first reported Wednesday by tech site iTnews could let a hacker get credential data and remotely access Windows computers on corporate networks.
Tech news site Motherboard reported Wednesday that Zoom was sharing the email address and photos of at least thousands of Zoom users who signed up with an email address sharing the same domain.
Zoom did not immediately respond to request for comment on the security flaws.
New York Attorney General Letitia James on Monday sent a letter to Zoom with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security, a spokesman told USA TODAY. The letter was first reported by The New York Times.
The attorney general’s letter came after a lawsuit filed Monday, first reported by Bloomberg, charged Zoom with sharing information about the user, the device, phone carrier and other data. The suit followed Motherboard’s analysis of the Zoom iOS app, which found when the app was used it sent information from the device to Facebook even if the user didn’t have Facebook on the device. Zoom, subsequently, updated its app to prevent the sending of information, the company told Motherboard.
Zoom says it has never sold – nor plans to sell – users data and does not monitor video meetings or its contents, the company said in statement posted Sunday on its blog. “Zoom takes its users’ privacy extremely seriously. Zoom collects only the data from individuals using the Zoom platform required to provide the service and ensure it is delivered effectively under a wide variety of settings in which our users may be operating,” the company said.
Zoom-bombing disrupts connections
The zoom-bombing situation attracted attention earlier this week after an Alcoholics Anonymous meeting in New York was interrupted by a man hollering misogynistic and anti-Semitic slurs and saying things such as, “Alcohol is soooo good,” Business Insider reported.
In other incidents reported to the FBI, a Massachusetts high school online class was interrupted by a person cursing and then shouting the teacher’s home address, and in a separate Massachusetts school meeting an unidentified person appeared on video displaying swastika tattoos.
“As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called Zoom-bombing) are emerging nationwide,” The FBI Boston field office said in its warning. “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.”
As more people across the globe have been told to stay at home to prevent the spread of the COVID-19 virus, Zoom has seen its traffic skyrocket. Zoom has been the No. 1 app for most of the month on Apptopia’s app store chart, the tracking firm says. In March, Zoom was downloaded approximately 40 million times worldwide, outpacing social media apps Facebook, Snapchat or TikTok.
During March, daily downloads of Zoom in the U.S. rose more than 1,000% in the U.S. from 29,802 to 339,701, Apptopia says.
In mid-March, Zoom CEO Eric Yuan lifted time limits on Zoom sessions for all K-12 schools in the U.S., Italy and Japan, a move first reported by Forbes. Typically, Zoom’s free version limits video sessions to 40 minutes. The company had already lifted limits for China and other countries affected by the coronavirus crisis.
Individuals can upgrade to a Standard Pro account for $14.99 monthly for unlimited length sessions.
The latest security vulnerabilities should not stop teachers and others from using Zoom, ZeroFox’s Allen says. “WFH cannot stop. The economy depends on it, so stopping the use of tools like Zoom will be hard for everyday users,” he said.
Tips to control your Zoom meetings
ZeroFox is working on new capabilities to help companies using Zoom for business, he says. For others there are some simple ways to reduce risks, from ZeroFox, Zoom and the FBI:• Don’t make meetings or classes public. You can require participants use a password or the meeting manager can make participants first appear in the waiting room and be admitted individually. “Create a waiting room and only let people in that you know and add a meeting password,” Allen said.
• Invite with care. Do not share links to your meeting on social media. Email or text them directly to participants.
• Limit screen sharing. Hosts can prevent others from posting video by changing the screen sharing options to “Host Only.”
• Lock the door. You can close your meeting to newcomers once everyone has arrived. Hosts can click the Participants tab at the bottom of the Zoom window to get a popup menu and then choose the Lock Meeting option.
• Use your silencer features. You can disable video for participants and also mute all or an individual attendee.
• Cut out the chatter. The host can disable the ability to text chat during the session, too, to prevent the delivery of unwanted messages.
• Boot the uninvited. Hosts can remove a participant by putting the mouse over that name and choose the Remove option. Allen notes that you can you can check off to not allow people to rejoin meetings if they were removed.
• Preparation. Make sure participants have the latest version of Zoom’s software, which was updated in January. That update added meeting passwords by default and disabled a feature allowing users to randomly scan for meetings to join.
Follow USA TODAY reporter Mike Snider on Twitter: @MikeSnider.