If you clicked Record to Cloud during a, you might have assumed Zoom and the cloud storage provider would have password-protected your video by default once it was uploaded. And if you deleted that video from your Zoom account, you might have assumed it was gone for good. But in the latest example of the that continue to plague Zoom, a security researcher found a vulnerability that turned those assumptions on their heads.
A week ago, Phil Guimond discovered a vulnerability that allowed someone to search for stored Zoom videos using share links that contain part of a URL, such as a company or organization name. The videos could then be downloaded and viewed. Guimond also created a tool, called Zoombo, that exploited a limitation of Zoom’s privacy protection, cracking passwords on videos that savvy users had manually protected. He discovered videos that were deleted remained available for several hours before disappearing.
(Disclosure: Guimond is an information security architect for CBS Interactive, of which CNET is a part, within the larger parent company of ViacomCBS.)
“Zoom has not considered security at all when developing their software,” Guimond told CNET. “Their offerings have some of the highest amount of low-hanging-fruit vulnerabilities in the industry for a mainstream product.”
On Saturday, Zoom rolled out an update after CNET inquired about the vulnerability. The app now adds a Captcha challenge when someone clicks on a share link. The update effectively stopped Zoombo, but left the core vulnerability unfixed. Hackers can still manually follow share links once a Captcha has been defeated. The company rolled out further security updates Tuesday to bolster the privacy of uploaded videos.
“Upon learning of this issue, we took immediate action to prevent brute-force attempts on password-protected recording pages by adding rate limit protections through reCaptcha,” a Zoom spokesman told CNET. “To further strengthen security, we have also implemented complex password rules for all future cloud recordings, and the password protection setting is now turned on by default,” a Zoom spokesman told CNET.
The new Zoom exploit was discovered as the video conference platform draws attention for security and privacy problems that have been exposed by the rapid growth of its user base. As theforced millions of people to stay home over the past month, Zoom suddenly became the video meeting service of choice. Daily meeting participants on the platform surged from 10 million in December to 200 million in March.
As it grew in popularity, so did the number of people exposed to Zoom’s privacy risks, with concerns ranging from built-in attention-tracking features to “Zoombombing,” the practice of uninvited attendees breaking into and disrupting meetings with hate-filled or pornographic content. Zoom has also allegedly shared user data with Facebook, prompting at least three lawsuits against the company.
Share links are just what they sound like: links that users share to invite someone to a Zoom meeting. They’re simpler than a video’s lengthier permanent URL and usually include part of a company’s or organization’s name. Some share links can be found through URL-targeted Google searches, and the links’ corresponding videos could then be targets for malicious actors to download if users didn’t manually password-protect them. Even those that have been protected were previously limited in password length, making them vulnerable to attack.
Guimond, who said he presented his findings to Zoom but didn’t get a response, tried password-protecting his own videos because they weren’t protected by default. After that, he wrote some code to bombard Zoom with attempts to open the video, a process known as brute force. The passwords could be cracked, he said.
A growing list of government entities domestically and globally have restricted the use of Zoom for state business. In early April, the German Ministry of Foreign Affairs reportedly cautioned staff against the software. Singapore banned teachers from using it to teach remotely.
In the same week, the US Senate reportedly told members to avoid using Zoom for remote work during the coronavirus lockdown.
One of Guimond’s core security concerns is that Zoom stores all Record to Cloud videos in a single bucket, the term for an unprotected swath of Amazon cloud storage space. Anyone can access a video if they have the link, a threat similar to one previously reported by The Washington Post, but which poses a more specific threat to corporate accounts.
Once someone obtains a video’s permanent link, they can also capture a Zoom meeting ID. That meeting ID could allow them to target a user individually, potentially opening up that user to Zoombombing and other privacy invasions.
To illustrate the potential privacy risk to companies, Guimond said that if someone were able to break into a corporate Slack conversation, a place where Zoom share links are routinely swapped, the hacker would have lots of opportunity to compromise corporate privacy.
“These [share links] don’t require authentication by default,” Guimond said. “You can even open them in a private window.
Some Zoom changes
While Zoom’s Tuesday update changed the software’s default upload option to require some form of authentication, links to any videos recorded to the cloud prior to the update could still be vulnerable. In the company’s Tuesday blog post, Zoom said “existing shared recordings are not affected” by the updates.
Asked whether Zoom has taken any steps — or plans to — to protect the privacy of videos previously recorded to the cloud, the company urged users to take their own precautions.
“While we are not changing settings for existing recordings, if users wish to turn on password protection or restrict access to authenticated users, they can do so at any time and we welcome them to do so,” said the Zoom spokesman.
“In general, should hosts choose to share recordings publicly or with authenticated users, or upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations,” he said.
If you’re thinking it may be easier to simply delete those videos, you may need to allot more time. When Guimond looked into the security of permanent links associated with Zoom meetings, he found that deleted Zoom videos were still accessible for a few hours following deletion.
“If you add a password and delete the file, you reduce your risk,” he said. “But it may still exist on the [Amazon Web Services storage] bucket,” said Guimond.
When CNET inquired about Guimond’s discovery, Zoom said it would investigate the matter.
“Based on our current findings, the unique URL to access a recording view page immediately stops working after deletion, so it cannot be accessed,” said a Zoom spokesman. “However, if someone has recently watched the recording around the time it is deleted, they can continue to watch for a period of time before the viewing session expires. We continue to investigate the matter.”
Asked what users and organizations can do to improve the privacy and security of videos previously uploaded to the cloud, Guimond advised taking another look at the settings.
“I’d recommend you go back and password-protect them with a strong password, and possibly delete them afterwards,” he said.