Zoom made a mistake as early as 2019

Zoom made a mistake as early as 2019

On July 9, 2019, an article appeared in the business magazine Forbes with the title Confirmed: Zoom security flaw exposes webcam Hijack risk, change settings now. The article addresses the findings of researcher Jonathan Leitschuh. A few months earlier, in April 2019, he had discovered that Zoom was by no means safe for its users. One of his findings was that Zoom's security specialists were barely aware of the weaknesses in the software.

One of the weaknesses was that when downloading Zoom, a web server was automatically placed in the hardware. The goal, according to Zoom, was to increase user convenience. Leitschuh argued that the disadvantage was that malicious parties could access it easily. This allowed them to take over the use of the webcam. They did this by inviting the users with a link to participate in a meeting, but DOS attacks could also be carried out. Even if the user uninstalled the app, the webserver will then reinstalled the app, allowing the breach to continue.

Zoom's big mistake, according to Leitschuh, was using a local server. That was against any security rule and exposed millions of users to external attacks. It was also disappointing that Zoom waited a long time to respond and then made little effort to improve user safety. They did offer the researcher a so-called “bug bounty”, a reward for uncovering weaknesses in the software. But they also asked him to not speak up. Leitschuh agreed to give Zoom 90 days to correct the defects. It then took almost the full 90 days to fix their mistakes.

When the Forbes article appeared, Zoom had to admit that the measures it had taken were not sufficient. It was mainly the users of Apple iOS who were most at risk. That was experienced as a major embarrassment at Apple. How was it possible that something was hidden that had to be removed from the Apple platform? On July 10, it was announced that Apple itself had taken measures to permanently remove the hidden web server.

Anyone who thinks that Zoom had learned their lesson will be disappointed. In December, it was announced that Cisco Systems had started working with Zoom Communications a month earlier. Zoom Communications managed to bypass the security of Cisco's Video Device technology, exposing users of this technology to similar risks to those previously using the Apple iOS. On November 18, Cisco demanded that Zoom take action, and on November 25, 2019, Zoom released a statement that the vulnerabilities had been corrected. Again, the defense was that Zoom attached great importance to making ease of using their main priority. And again, it seems they are putting users at high risk.

Further course of action ZOOM

We are currently recruiting and data deduplicating. Deduplication process is to check the data to make sure there is no repeated statement. In addition, we believe that the daily developments around Zoom are closely monitored.

The next steps are:

  • • Taking record of what happened to user data at Zoom
  • • Taking record of the bases of possible legal actions
  • • Extending this action within Europe and making contact with activists outside Europe

As a follow-up to this, we will also submit our findings to the relevant supervisory authorities. The most recent news in this area is that the Dutch Data Protection Authority has already warned against the use of Zoom today.

In addition, we will focus on improving and expanding our website functionalities for our users.

Call for Experts 

SOMI is a non-profit organization, founded to bring about changes through research and legal actions. Budget is available for part of the research and actions. We are looking for participants who want to contribute to the investigation or investigative journalists or students who want to participate in the research regarding action Zoom.