A recent report from The New York Times reveals that file-hosting service Dropbox privately paid hackers to find bugs in the software of video conferencing firm Zoom and then pressured the company to fix them. It reportedly took more than three months for Zoom to fix one of the security lapses identified by Dropbox.
In an article titled “Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox” the New York Times outlines how the file-hosting service Dropbox became worried about the security of the video-conferencing app Zoom which has become wildly popular during the Wuhan coronavirus pandemic as many worldwide are forced to work from home.
Dropbox became so worried about the security of Zoom’s software that it began to offer rewards for hackers that could find vulnerabilities in Zoom’s apps. Former Dropbox engineers claim that they were stunned by the sheer number and severity of the security flaws discovered by hackers and even more worried by Zoom’s slowness in fixing them. The New York Times writes:
After Dropbox presented the hackers’ findings from the Singapore event to Zoom Video Communications, the California company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability only after another hacker publicized a different security flaw with the same root cause.
Breitbart News recently reported that Zoom has been trying to improve its security measures following multiple media reports of privacy breaches, including a phenomenon known as “Zoom bombing” in which unauthorized users gain access to private Zoom calls.
The company has reportedly formed a new security advisory council to fix its “biggest trust, safety and privacy issues.” One member of the security council is reportedly Alex Stamos, Facebook’s former Chief Security Officer who served at the firm between 2015 and 2018. Stamos commented on the council in a post on Medium, stating: “Zoom has some important work to do in core application security, cryptographic design and infrastructure security, and I’m looking forward to working with Zoom’s engineering teams on those projects.”
The firm has reportedly released a new version of the app that removes the meeting ID from the title bar of calls so that it can’t be leaked via screenshots, which is how trolls were gaining access to private zoom calls. The new version of the app also requires hosts to approve new attendees before they can enter the chat.
Dropbox employees were not the only ones investigating Zoom’s security issues, the NYT writes:
Dropbox employees weren’t the only ones finding problems. In late 2018, David Wells, a senior research engineer at Tenable, a security vulnerability assessment company, uncovered a serious flaw in Zoom that would have allowed an attacker to remotely disrupt a meeting — without even being on the call. Among other things, Mr. Wells reported that an attacker could take over a Zoom user’s screen controls, enter keystrokes and covertly install malware on their computer.
Mr. Wells also found the vulnerability allowed him to post messages in Zoom chats under other people’s names and kick people off meetings. Mr. Wells, who reported his findings directly to Zoom, said Zoom quickly patched the flaws.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address firstname.lastname@example.org