Zoom security feature let unapproved users view meetings, researchers find

Zoom, the videoconferencing service that has exploded into the vacuum created by the Covid-19 outbreak, has endured the revelation of a string of privacy and security flaws in recent days. Now researchers have identified just such a flaw in a feature marketed specifically as a way to make meetings more secure.

Zoom said April 8 it had fixed a vulnerability with its Waiting Room feature.

The feature allows meeting hosts to keep would-be participants in a digital queue pending approval. Medical professionals could use it to host multiple telehealth appointments in a row, and hiring managers could conduct stacked video interviews, the company suggested in a February blog post.

As users have encountered problems with "zoombombing" — whereby participants interrupt and derail meetings, often by using offensive imagery or racist slurs — the company has pointed to the waiting room feature as a way to protect from this type of intrusion.

But security researchers examining the desktop client for vulnerabilities found that Zoom servers would automatically send a live video data to users in the meeting's waiting room, even if they had not yet been approved to join by the person holding the meeting. These users were also sent the meeting's decryption key — the code needed to unlock secure communications. Users could hypothetically extract the video live stream, researchers said.

"If you were moderately technically sophisticated, you could watch what was going on while in the waiting room," said Bill Marczak, a fellow at the Citizen Lab and a postdoctoral researcher at UC Berkeley who found the vulnerability. An audio stream of the call, however, was not accessible.

Marczak said he and John Scott-Railton of the Citizen Lab notified Zoom last week. They detailed their findings in a report published Wednesday, after they receive an email from the company saying the issue had been fixed.

On April 8, Zoom chief executive Eric Yuan mentioned during a webinar held to address privacy concerns that Zoom had fixed an issue with its waiting room feature.

"We updated our server. Our waiting room vulnerability is already fixed," Yuan said on the webinar. "From a server side, we did not send audio and video data to the waiting room client. However, we did send the session key.... We did not think that was safe, so we changed our server."

Yuan's comment did not align with what Marczak and Scott-Railton found, they wrote. The video stream was previously accessible, though the issue has since been fixed, Marczak said.

Zoom did not immediately respond to a request for comment about this discrepancy. — Los Angeles Times/Tribune News Service

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!



Next In Tech News

Peacock streaming service has over 18 million global paid subscribers
Fintech Circle terminates $9 billion deal with Bob Diamond-backed SPAC
U.S. Supreme Court rejects Centripetal appeal in Cisco patent fight
Man in S’pore jailed over upskirt videos, including those of another man dressed in women’s clothes
Ghana's Swoove says set to deliver growth after startup contest
Police: Deputy in US posed as teen online to sexually extort girl
Russia is boosting its cyberattacks on Ukraine,�allies, Microsoft says
US police rarely deploy deadly robots to confront suspects
PM Anwar: Malaysia to review plans for 5G network
Female athletes in crosshairs for online abuse, according to World Athletics

Others Also Read