Zoom found leaking personal user data, could also facilitate stealing your Windows sign-in credentials (updated)

[Andrew]

Zoom's sky-rocketing popularity seems to be a mixed blessing for the company, as yet another privacy issue crept up this week, involving leakage of personal information of thousands of users by exposing their email address and photo to strangers on the platform and potentially enabling the latter to initiate unwanted video calls.

...

Update: In addition to the aforementioned problem, it's been documented (as reported by Bleeping Computer) that because of how Zoom handles URLs in group chats, any URL you send/receive is converted into a hyperlink. However, this could be used maliciously, if instead of sending a web link, you receive a UNC path (Universal Naming Convention), this will also be converted to a link.

 

UNC paths are typically used for networking and file sharing (for example, \\127.0.0.1\C$\windows\system32\calc.exe). An unsuspecting user could click a malicious link, which would make Windows try to connect to a remote host using the Server Message Block (SMB) network file-sharing protocol. By default, Windows will send the user's login name and their NTLM password hash, which can be easily cracked.

 

Source

[Alex]

That's not good, especially since Governments have been shown to use Zoom.

[Andrew]

Yeah, they're idiots when it comes to technology. They have repeatedly tried to get bills to pass that force companies to put backdoors in their encryption despite every major tech company saying it's a really dumb idea for many reasons.

[ENTERPRISE]

Man that is a gaping flaw. Spiking the UNC,oh dear lol

[tictoc]

Additionally Zoom is not end to end encrypted, regardless of what their marketing info says. The only encryption that is happening in video calls is the data that is streamed over the line. No different really than any https connection. All of the data on Zoom's severs is available to anyone in Zoom.

 

They did update their privacy policy to specify that malware (ad tracking and selling) is only on their web pages, and they are not mining calls and chats to sell to 3rd parties. https://blogs.harvard.edu/doc/2020/03/27/zoom/

 

E2E encryption is hard for spur of the moment teleconferencing, but the fact that they have tried to redefine what the term means is pretty shady in my opinion.

[ENTERPRISE]

The whole operation seems way shady. As far as I am concerned, any Comms app has to have end to end encryption, otherwise no thanks ! Scary thing is businesses use this !

 

It amazes me how businesses especially, do not check into the software they are using.