Skip to main content

Zoom apologises for major security vulnerabilities, promises fixes

(Image credit: Shutterstock)

Video calling app Zoom has announced it will be freezing product development to focus on boosting the security of its services following several high-profile security issues.

In a blog post, CEO Eric S. Yuan revealed that Zoom saw 200 million daily meeting participants in March, a huge rise from the 10 million daily users it welcomed in December.

However he admitted that work in securing the app had not seen a similar scale of growth, and pledge to improve this going forward.

Zoom has seen an explosion in users over the past few weeks as workers around the world embrace a new era of working from home, but now its security protection is being called into question.

“Our platform was built primarily for enterprise customers,” Yuan said. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively,” Yuan added . “We are also committed to being transparent throughout this process.”

Zoom's entire engineering team will now pivot to working on safety and security, with the company also planning a “comprehensive" review of its services along with third-parties.

(Image credit: Shutterstock.com / Askobol)

Zoom has since attracted a lot of attention from security researchers and cybercriminals alike, with a number of worrying security flaws affecting Windows and Mac devices uncovered recently.

On Windows devices, one expert found that criminals could exploit a flaw in the Zoom chat feature to steal login details. Speaking on Twitter, the researcher known as @_godmode outlined how the part of Zoom's chat feature that converts URLs into hyperlinks can also do the same for Windows networking UNC paths, turning them into a clickable link that if accessed, could reveal login information.

Another expert revealed two bugs affecting Zoom on Apple Mac devices. One flaw would allow criminals to hijack a victims device, one of which exploited Zoom’s access rights on a device to give hackers control of the webcam and microphone.

A seperate flaw discovered by the same security researcher, Patrick Wardle, could allow a hacker to inject malicious code into Zoom's installer program, giving access to the device's operating system and allowing them to install malware without the victimnoticing. 

Zoom was also criticised earlier this week after it was discovered that the app does not offer end-to-end encryption, as promised on its website. Instead, it uses Transport encryption, a Transport Layer Security (TLS) protocol which means that although others won't be able to access your data, Zoom will still be able to.

Via Bleeping Computer / CityAM