How Dropbox, and Australian hackers, uncovered Zoom's biggest flaws

We’re sorry, this feature is currently unavailable. We’re working to restore it. Please try again later.

Advertisement

This was published 3 years ago

How Dropbox, and Australian hackers, uncovered Zoom's biggest flaws

By Natasha Singer and Nicole Perlroth

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees.

The hackers soon uncovered a major security vulnerability in Zoom's software that could have allowed attackers to covertly control certain users' Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom's videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated.

Zoom's defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like primary school classes and family celebrations — for which it was never intended.

"I don't think a lot of these things were predictable," said Alex Stamos, a former chief security officer at Facebook who recently signed on as a security adviser to Zoom. "It's like everyone decided to drive their cars on water."

The former Dropbox engineers, however, say Zoom's current woes can be traced back two years or more, and they argue that the company's failure to overhaul its security practices back then put its business clients at risk.

Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorised to publicly discuss their work.

As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom's software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom's code; and troubled by Zoom's slowness in fixing them.

Loading
Advertisement

After Dropbox presented the hackers' findings from the Singapore event to Zoom Video Communications, the California company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability only after another hacker publicised a different security flaw with the same root cause.

Zoom's sudden popularity — nearly 600,000 people downloaded the app on a single day last month — has opened it to increased scrutiny by researchers and journalists and forced the company to grapple with a rash of security incidents.

Three weeks ago in the US, the FBI warned that it had received multiple reports of trolls hijacking public school classes on Zoom to display pornography and make threats; malicious attacks known as "Zoombombing."

Last week, Vice's Motherboard blog reported that security bug brokers were selling access — for $US500,000 — to critical Zoom security flaws that could allow remote access into users' computers. Separately, hackers put up more than half a million Zoom users' passwords and user names for sale on the so-called dark web.

On April 1 Eric Yuan, Zoom's chief executive, said the company would devote all of its engineering resources for the next 90 days to shoring up security and privacy. Last week, the company announced a revamped reward program for hackers who find security flaws in its code. Stamos said Zoom was also working on design changes to reduce the potential risks of security flaws and abuses like Zoombombing.

Even critics acknowledge that Zoom remains the most user-friendly videoconferencing service on the market and has become a crucial communications tool during the pandemic. Security researchers also praised Zoom for improving its response times; quickly patching recent bugs and removing features that presented privacy risks to consumers.

Zoom is hardly the first tech company whose sudden surge in popularity exposed its problems. Microsoft, Twitter, Google, Facebook and Uber have all settled charges related to consumer security or privacy.

Loading

What is different about Zoom is the unusual role that another tech company — Dropbox — played in pushing the videoconferencing service to address its security weaknesses. Details on Dropbox's role have not been publicly reported before.

Many companies, including Zoom, have "bug bounty programs" in which they pay hackers to turn over flaws in the company's own software code. But Dropbox, which has integrated its file-sharing services with Zoom, did something novel.

Starting in 2018, Dropbox privately offered to pay top hackers it regularly worked with to find problems with Zoom's software. It even had its own security engineers confirm the bugs and look for related problems before passing them on to Zoom, according to the former Dropbox engineers.

Hackers have reported several dozen problems with Zoom to Dropbox, the former employees said. These included moderate problems, like the ability for attackers to take over users' actions on the Zoom web app, and more serious security flaws like the ability for attackers to run malicious code on computers using Zoom software. Dropbox also put in its own controls to ensure that its integration with Zoom did not present risks to Dropbox users.

In early 2019, Dropbox sponsored HackerOne Singapore, the live hacking competition. To put pressure on Zoom to take security more seriously, former Dropbox engineers said, Dropbox included the videoconferencing service among companies for which it offered bug bounties at the event.

Even before the event began, one hacker reported a major vulnerability to Dropbox that could have allowed attackers to pose as Zoom over Wi-Fi and secretly observe users' video calls, the former Dropbox engineers said.

Soon after, the two Australian hackers — an engineer and executive at Brisbane-based Assetnote, a security company — uncovered the flaw that would have allowed an attacker to covertly take complete control of certain computers running Apple's macOS, according to a blog post published by the hackers.

Loading

The discovery was particularly jarring because attackers could have used the Zoom vulnerability to gain access to the deepest levels of a user's computer.

But Zoom did not quickly address the flaw. Instead, the company waited more than three months until a third researcher independently uncovered and publicised a separate, less serious issue, with the same underlying cause.

Yuan, Zoom's chief executive, subsequently wrote a blog post in July apologising for the delay.

"We misjudged the situation and did not respond quickly enough — and that's on us," Yuan wrote. He added: "We take user security incredibly seriously."

The New York Times

Most Viewed in Technology

Loading