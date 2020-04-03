Suddenly, the known world changed. Normality was transformed into a new global dimension where teleworking and social isolation have become established in the lives of millions of people. In the midst of this unprecedented health crisis, a series of digital communication tools have been erected in recent weeks that try to mitigate the effects of confinement. Video call application traffic has exploded. And, among them, Zoom, one of those that has become fashionable that, nevertheless, presents serious security flaws.

The tool, created in 2011 by a US company founded by Eric Yuan, has increased its relevance due to the Covid-19 coronavirus, but in recent weeks some weaknesses have been revealed at a technical level that, according to computer security experts, can put in compromise the personal data of its users. One of them, although admitted and corrected, was the discovery that he sent personal information to the social network Facebook. Among the data sent was the user’s browsing information on the service: when the application opens, device details, location, telephone company and a unique advertising identifier used for targeted advertising.

Under the scrutiny of authorities and industry experts, security problems are mounting. Now, sources from the specialized media «Bleeping Computer» have assured that Zoom may be leaking login data (username and password) in the operating system for Windows computers to cyber attackers. This vulnerability affects your integrated chat service within the platform. You do not have a well-configured protocol for the UNC paths for locating files within a network of computer equipment, called in computer slang as absolute paths.

In other words, as a general rule, digital services become hyperlinks (clickable) when typing a web address, allowing users to access it through a browser. In this case, the web client for video calls allows this type of UNC paths to work as a link. The demo images show how a normal URL and UNC path evil.server.com images cat.jpg became a link to click on the chat message. This gap, in this way, could lead to a person outside the organization and with the appropriate knowledge being able to steal the user’s credentials within a company’s local network.

In a telephone conversation with this newspaper, Luis Corrons, security evangelist at the security firm Avast in Spain, considers that a cyber attack taking advantage of this vulnerability “is not so simple” and presents “limited risk”, although he describes it as “very dangerous »If carried out. This expert recalls that the application “has always been more oriented towards a professional perspective” but the fact that it has taken a leap for a recreational environment has exposed “certain risks”.

And he gives a practical example to understand it: «If you have mail in Hotmail or Gmail -the most widespread- you are not going to see the rest of the users, but what if there is a generic domain that Zoom does not know? It is possible that I consider it as a company and that all the contacts could appear in the directory of my contacts », he points out. “It is a very limited attack but it can be very dangerous. It is not the typical massive attack, but a remote-controlled attack must be carried out on a certain person to steal their passwords. The solution is simple; all Zoom has to do is not give the user the option of opening links on remote computers, “he says.

In addition to these, other experts have discovered other vulnerabilities about Zoom that affects its security system for video calls, which do not come by default under an “end-to-end” encryption system, as reported by “The Interceptr”. In such a way that the company that owns the service could access the communications of its users unlike other communication services such as WhatsApp or Telegram. .