Earlier this week video teleconferencing company Zoom fixed an issue that would have allowed users in Zoom “waiting rooms” to spy on meetings even if they weren’t approved to attend them, according to researchers at Toronto-based Citizen Lab.
Before the fix, which was issued on Sunday, Zoom servers automatically sent live streams of meetings and meeting decryption keys to the users in the rooms, where they must wait for approval to join a meeting. This vulnerability allowed those users to eavesdrop without approval.
“Because users in a Zoom waiting room are not yet approved to join the meeting, and Zoom’s documentation appears to promote waiting rooms as a confidentiality feature, we assessed that this issue could represent a security concern,” Bill Marczak, a senior research fellow at Citizen Lab, and John Scott-Railton, a senior researcher at Citizen Lab, write in a blog post on the issue.
The vulnerability would have been particularly relevant for users concerned about the safety of their Zoom meetings. As Zoom has faced a host of other reports detailing other security and privacy issues, advocates for privacy and security have promoted the waiting room feature as a way to prevent uninvited users from barging into meetings, a practice more commonly known as “zoombombing.”
Until this week, however, even users who were not approved to join meetings could have gained access to the meeting’s AES-128 key and decrypted the meeting’s live video stream from their Internet traffic, according to Marczak and Scott-Railton.
The vulnerability would have been “relatively straightforward” for a user with “moderate technical sophistication” to exploit, so Citizen Lab held off public disclosure of the vulnerability until it was mitigated.
“Zoom quickly addressed the waiting room issue we identified, and communicated straightforwardly and professionally with us throughout the disclosure process,” Marczak and Scott-Railton write.
It’s the latest evidence that Zoom is working to address security and privacy concerns about its video teleconferencing platform as use surges around the world amid stay-at-home orders intended to fend off the spread of the novel coronavirus.
Other researchers disclosed last week that if attackers had physical access to victim devices, they could gain access to victims’ webcams and microphones via Zoom, as well as an issue where Zoom was leaking email addresses and user photos. Zoom is also now facing a class-action lawsuit over allegations it was sharing user data with Facebook in violation of California’s new privacy law.
Zoom has also paid a bug bounty to independent security researcher Youssef Abdullah, who found late last month that if attackers tried to attach a Facebook account to their Zoom account via an organization’s email address that is already in Zoom’s database, an attacker could have gained access to all email accounts associated with the account’s organization. Zoom fixed the issue early this month.
In a blog post published last week following a flurry of researchers disclosing Zoom vulnerabilities, Zoom CEO Eric S. Yuan pledged to refocus the company’s engineers on security and privacy programs, rather than usability.
“We recognize that vendors of video conferencing products need to provide friction-free, low-latency experiences for their users, or risk losing customers,” Citizen Lab’s Marczak and Scott-Railton write. “Indeed, the bug that we identified may have its origins in this same pressure: meeting video and decryption keys were provided to waiting room users, perhaps in order to make admittance to the meeting nearly instantaneous.”