Video conferencing for work is almost always uneventful, where one party presents, many tune in and listen (or laugh at the smallest things), and some cause sound dropouts on their end. But there’s a different kind of excitement that you don’t want happening to you during these online business meetings: a Zoom bug taking over.
Picture this: an unauthorized party (let’s call it a hacker) takes control of your screen during the Zoom meeting and then sends lewd and inappropriate messages to the other attendees. This was a recent issue for Zoom with a new vulnerability in its desktop app for its video chat service.
The good news, however, is Zoom has already successfully patched this serious video conferencing bug.
Zoom Bug: The Nasty Details
Cybersecurity researcher David Wells of Tenable made the discovery in Zoom’s desktop app, describing it as something that let an attacker take control of an unsuspecting user’s screen and send chat messages on his or her behalf. The attack also kicked people out of the videocon!
The issue involved UDP packets, a familiar hack for Internet of Things (IoT) devices. With this Zoom bug, any command the Windows, Mac, and Linux apps intercepted were deemed verbatim. This meant that the attacker could send the tainted code and have the free rein to do everything, from joining the private call to kicking other participants off it.
“This allows an attacker to craft and send UPD pockets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers,” explained the Tenable blog.
The Zoom app vulnerability essentially allowed an attacker or rogue attendee to:
- Hijack screen controls, which bypasses permissions and lets the attacker send keystrokes and mouse movements in order to take full control of the desktop.
- Spoof chat messages, which impersonates legitimate users on the call.
- Kick attendees off the call even without meeting the host.
As described in the post, the flaw surfaced due to improper message validation. A malicious entity simply needed to know the Zoom server’s IP address to exploit the recent vulnerability.
The Zoom Client for Meetings Message Spoofing Vulnerability had the official code CVE-2018-15715. It affected the following versions:
- Windows 10, Zoom 4.1.33259.0925
- macOS 10.13, Zoom 4.1.33259.0925
- Ubuntu 14.04, Zoom 2.4.129780.0915
Zoom’s Swift Action
Zoom, which has some 750,000 companies using its services, acted immediately after Wells reported the bug. It patched its server in order to protect users from any potential attack.
In addition, it released updates to its Windows, Mac, and Linux apps to further fix the issue. Its latest app versions are 4.1.34814.1119 for Windows and 4.1.34801.1116 for Mac OS. Users, though, will have to manually update theirs for protection from being hijacked in the middle of a call.
Zoom commits to keeping your information safe through encryption whenever you sign in through its site, software, or app. But here are some additional tips for a secure Zoom experience:
- Never store your passwords in plain text, which opens up opportunities for malware to gain access to your files.
- When discussing sensitive topics during the meeting, use a room password to lock out undesired “surprise” participants. This layer of protection is particularly useful for permanent meeting rooms that former employers may know about.
- Keep the “Join before host” notification or disable “Join before host” if you prefer that no one gets in the meeting room without you in there first.
- Store Zoom recordings properly. Beware that if you’re storing them on the cloud, someone could break into the service and have access to the recordings. So instead of depending on a third-party storage provider, it might be better to encrypt the files yourself on your system and store them in your most preferred way.
- Keep your computer clean and optimized for top performance. A reliable third-party PC repair tool can diagnose your Windows system, clean out junk files in one go, and identify crucial speed and stability issues.
The recently discovered and divulged Zoom app vulnerability put business meetings at risk by disrupting conferences and hijacking screen controls, spoofing chat messages, and kicking attended out of the call.
Zoom swiftly addressed the problem by patching its server and releasing updates to its Windows, Mac, and Linux apps.
Were you affected by this recent Zoom bug? Tell us about your experience!