Zoom user Dropbox IDs security bugs
A year ago, two Australian hackers found themselves on an eighthour flight to Singapore to attend a hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees.
The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.
Zoom’s videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home,
and reports of its privacy and security troubles have proliferated.
Zoom’s defenders, including bigname Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended.
“I don’t think a lot of these things were predictable,” said Alex Stamos, a former chief security officer at Facebook who recently signed on as a security adviser to Zoom. “It’s like everyone decided to drive their cars on water.”
The former Dropbox engineers, however, say Zoom’s woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk.
Dropbox, based in San Francisco, grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the filehosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work.
As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them.
After Dropbox presented the hackers’ findings from the Singapore event to Zoom Video Communications, the San Jose company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability only after another hacker publicized a different security flaw with the same root cause.
Vice’s Motherboard blog recently reported that security bug brokers were selling access — for $500,000 — to critical Zoom security flaws that could allow remote access into users’ computers. Separately, hackers put up more than half a million Zoom user names and passwords for sale on the Dark Web.
Zoom CEO Eric Yuan said this month that the company would devote all of its engineering resources for the next 90 days to shoring up security and privacy. The company announced a revamped reward program for hackers who find security flaws in its code. Stamos said Zoom is working on design changes to reduce the potential risks of security flaws and abuses like Zoombombing.
Even critics acknowledge that Zoom remains the most userfriendly videoconferencing service and that it has become a crucial communications tool during the pandemic. Security researchers also praised Zoom for improving its response times — quickly patching recent bugs and removing features that presented privacy risks.
Zoom is hardly the first tech company whose sudden popularity exposed its problems. Microsoft, Twitter, Google, Facebook and Uber have all settled federal charges related to consumer security or privacy.
What is different about Zoom is the unusual role that another tech company — Dropbox — played in pushing the videoconferencing service to address its security weaknesses. Details on Dropbox’s role have not been publicly reported before.
Many companies, including Zoom, have bug bounty programs, in which they pay hackers to turn over flaws in software code. But Dropbox, which has integrated its filesharing services with Zoom, did something novel.
In 2018, Dropbox began to privately offer to pay top hackers it regularly worked with to find problems with Zoom’s software. It even had its own security engineers confirm the bugs and look for related problems before passing them on to Zoom, according to the former Dropbox engineers.
Hackers have reported several dozen problems with Zoom to Dropbox, the former employees said. These include moderate problems, like the ability for attackers to take over users’ actions on the Zoom web app, and more serious security flaws, like the ability for attackers to run malicious code on computers using Zoom software.
In early 2019, Dropbox sponsored HackerOne Singapore, the live hacking competition. To put pressure on Zoom to take security more seriously, former Dropbox engineers said, Dropbox included the videoconferencing service among companies for which it offered bug bounties at the event.
Even before the event began, one hacker reported a major vulnerability to Dropbox that could have allowed attackers to pose as Zoom over WiFi and secretly observe users’ video calls, the former Dropbox engineers said.
Soon after, the two Australian hackers, an engineer and executive at Assetnote, a security company, uncovered the flaw that would have allowed an attacker to covertly take complete control of some Apple computers, according to a blog post published by the hackers.
The discovery was particularly jarring because attackers could have used the Zoom vulnerability to access the deepest levels of a user’s computer.
But Zoom did not quickly address the flaw. Instead, it waited more than three months until a third researcher independently uncovered and publicized a separate, less serious issue, with the same underlying cause.
Yuan wrote a blog post apologizing for the delay.
“We misjudged the situation and did not respond quickly enough — and that’s on us,” Yuan wrote in the July post. He added: “We take user security incredibly seriously.”