Zoom explodes major security holes: tens of thousands of videos are publicly watched by CEOs to consider open source

0
323

Welcome to the wechat subscription number of “create a story”: sinacchangshiji
Editor / Jing Yan, Meng Jia, Bai Feng
Source: new wisdom (ID: ai_era)
[new Zhiyuan guide] did you zoom today? Recently, zoom, a video conference software that caught fire during the outbreak, revealed a major security hole: tens of thousands of private videos have been uploaded to public web pages, and anyone can watch them online! Surprise to scare! Yuan Zheng, the founder, admitted that if the security problem is not solved, he will even consider open source zoom code.
During the outbreak of coronavirus, the use of video conferencing software increased dramatically, especially zoom. The daily active users of zoom have surged from 10 million in December last year to 200 million now, becoming the hot fried chicken in the video conference software. European and American users who can’t go out use zoom for meetings, classes, training, visiting relatives, friends, doctors, even for weddings and funerals.
The most attractive thing about zoom is “simple and easy to use”. But the cost of “simple and easy to use” is that there are many security holes and privacy issues can not be guaranteed.
Tens of thousands of private videos have been leaked, due to the video naming method?
15000 videos were made public
Recently, the Washington Post reported another major security flaw in zoom: tens of thousands of private zoom videos have been uploaded to public web pages, and anyone can watch them online! It’s creepy have you!
It was Patrick Jackson, a former NSA researcher, who revealed to the Washington Post that 15000 zoom videos had been found in an open cloud storage space at one time.
According to this clue, the zoom video seen by the Washington Post includes: one-to-one treatment plan; the latest training direction of telemedicine callers, including the names and phone numbers of participants; the video of small companies’ meetings with financial statements; the details of children’s faces, voices and looks can be seen in online classes for primary school students. Many videos contain personally identifiable information, many private conversations at home, and even naked videos where beauticians teach hair removal techniques.
Poor security of single naming method
When zoom makes a video call, it will not record video by default, but the conference host can save the recorded video in the zoom server or any cloud or public website without the consent of the participants. Moreover, the recorded zoom video is saved in the same naming method.
Jackson found this problem and scanned the open cloud storage space with a free online search engine. Under the default naming rules, he searched 15000 videos at a time. In addition, some videos are stored in unprotected Amazon buckets, and users have inadvertently changed to public access. Youtube and Vimeo can also find zoom videos.
15000 videos are enough to show that this is not the carelessness of users, but the design of products. The designer of zoom bypasses some common security features of video chat programs, such as requiring users to use unique file names when saving videos. The default single naming method of zoom is simple and easy to operate, but it is also more vulnerable to hacker attacks.
“Zoom should do a better job in reminding users to protect the video, making some design adjustments, such as using an unpredictable way to name the video, making it difficult to find it in the public domain,” Jackson said
A spokesman for zoom later issued a statement advising users to be cautious when uploading video recordings:
“When the moderator of the zoom conference records the video, zoom will inform all participants and provide a safe and reliable way for the moderator to store the minutes. Zoom meeting videos are only saved on local devices or zoom cloud according to the host’s choice. If the host chooses to upload the meeting records to other locations, we urge that you should be very careful, keep transparency with participants, carefully consider whether the meeting contains sensitive information, and meet the reasonable expectations of participants. ”
Zoom leaks frequently and is suspected of false propaganda
The security researchers who analyzed the zoom code said that zoom’s software relies on technologies that may expose people’s computers to hackers. Zoom’s data sharing design enables some users to record conversation content without the consent of all relevant meeting personnel, which may leak the privacy of participants.
Zoom’s default settings allow new users to suddenly send text and pictures to other users’ computers when making a phone call, and this screen sharing function will be used at will by “zoomboxing”. In an interview with the Washington Post, zoom said the feature was designed for its core user base and recently changed the school’s default settings to allow only teachers to share their screens.
Alex Stamos, a former Facebook security director and now head of the Stanford Internet Observatory, said zoom’s problems ranged from silly designs to serious product security flaws, many of which worried him.
According to a technical analyst at vmray, the network security company, the code zoom uses to speed up the installation depends on “poor security and lying to users.”. In response, Yuan Zheng, zoom’s chief executive, said the company uses these practices to “balance” the number of “clicks” users need before using the program.
Among a series of security vulnerabilities exposed by zoom this time, the most important one is that it does not use end-to-end encryption in video calls. It only uses this encryption method in some text messages and audio in some modes, but displays zoom is using end to end encrypted connection in video applications.

A spokesman for zoom later said: it is not possible to provide end-to-end encryption for video conferencing on the zoom platform at this stage.
Why is zoom not end-to-end
To solve the problem of end-to-end encryption, we first need to understand what is information encryption.
In cryptography, encryption is the process of changing plaintext information into unreadable ciphertext content. Only objects with decryption methods can be decrypted to normal readable content.
And end-to-end encryption (e2ee) is a communication encryption system that only users who participate in communication can read information. In general, it can prevent potential eavesdroppers – including telecommunication providers, Internet service providers and even the providers of the communication system – from obtaining keys that can be used to decrypt communication. Such a system can prevent potential monitoring or tampering, because it is difficult for a third party without a key to decipher the data transmitted or stored in the system. The communication provider using end-to-end encryption, such as WhatsApp, can’t extract the communication data of its customers, so this encryption method will also cause certain problems for police investigation and evidence collection.
In the case of no encryption, information can be viewed and modified at any link from a to B; information transmission from a to server and from server to B is secure, but information on the server is decrypted; end-to-end encryption a uses public key encryption of user B, the server has no key, and B uses private key to decrypt, and the whole transmission process is encrypted.
In 1994, Netscape designed the SSL Protocol (secure sockets layer). In 1999, the Internet Standardization Organization (ISOC) took over Netscape and released the upgraded TLS of SSL. TLS is the video encryption method now used by zoom, so user data can still be stolen.
End to end encryption is so good, why don’t you use zoom?
First, end-to-end encryption can only improve the confidentiality of communication content, it can not prevent communication from being completely interrupted; then, when end-to-end encryption, the addresses of both sides of communication must be public. For example, zoom can help you deliver an end-to-end encrypted video. Zoom may not know the content of the video, but it certainly knows the address of the sender and receiver, the consignee and the shipper, and zoom cannot guarantee delivery. Therefore, for the application environment with higher security requirements, it must be combined with other levels of encryption to achieve better results.
Stop developing new functions immediately and make up the work
On March 20, it helped users solve the harassment incident (or so-called “zoombinding”) on the platform, and reminded users of ways to prevent harassment, such as waiting room, password, mute control and limit screen sharing.
On March 27, the Facebook SDK of IOS client was removed.
On March 29, we updated our privacy policy to make it clear that we do not sell user data. We have never sold user data in the past and have no intention to sell user data in the future.
For educational users, zoom has launched an administrator’s Guide to help better maintain the virtual classroom, as well as a K-12 privacy policy.
On April 1, the Chinese announcement of zoom showed that zoom would stop the development of all new functions and use all engineering resources to solve the recent security vulnerabilities.
Zoom was founded just because of love. Did you zoom today?
“We have realized that we are not meeting users’ expectations in terms of privacy and security. I apologize for that. ”
In zoom’s apology letter, Yuan Zheng, founder and CEO, reiterated the original intention of the company’s establishment, which sounded like a way to get rid of the guilt for the leak, but there was also sincerity between words. “We didn’t foresee that in a few weeks, everyone around the world would suddenly work at home, learn and socialize.”
“Whether it’s multinational companies that want to maintain business continuity, local governments that want to maintain community operations, school teachers that want to carry out distance education, or want to spend a good time with friends during isolation, we are extremely honored to be able to help you stay in touch.”
“We are deeply responsible. The number of zoom users surged overnight, far exceeding expectations. Among them are more than 90000 schools from 20 countries, which have carried out distance education. In March of this year, we have more than 200 million participants in meetings every day, both free and paid. We have been working day and night to ensure that all of our new and old users can stay in touch and function properly. ”
In short, the core idea is that the original intention of zoom’s business is good, which is very meaningful for people to people exchanges during the epidemic. Please don’t be too harsh on us.
Let’s go back to the original vision of zoom.
The inspiration for the founding of zoom comes from the girlfriend of Founder Yuan Zheng in his first year of University. At that time, they were still in long-distance love. They were 10 hours away from each other by train. Only in winter and summer can they meet each other. Missing his girlfriend gave him the idea of creating a video sharing website. His insistence on love made him finally embrace beauty.
In 2018, he was named as the most popular CEO with 99% support rate on the 2018 top 100 CEO list released by Glassdoor, which even surpassed mark zuckerburg and Tim Cook. In 2019, he ranked 78th on the Hurun rich list. He is also on the Forbes billionaires list, which will be released in April.
Yuan Zheng is a legend. Compared with other technology giants, he is far from a genius. Yuan Zheng was born in a family of mining engineers in Tai’an, Shandong Province, and graduated from Shandong University of science and technology in 1987. In 1994, when he was on a business trip in Japan, he heard a speech by Bill Gates. From then on, he got the idea of packing his bags and joining the Internet tide on the other side of the ocean.

When he went to the U.S., Yuan Zheng had a serious accent in Mandarin, and his English was even more stumbling. At that time, the U.S. customs asked for his English business card with the title of consultant, but the visa officer understood him as a part-time contractor. In two years, he was refused nine times. In 1997, I finally went to the United States as I wish. I have been there for 20 years. When he first arrived in the United States, he began to brush dishes and submit his resume. Later, he joined WebEx, an early Internet Conference application company, and began to write code.
Around 2000, he was in a bad mood when dealing with customers every day. The customers were more and more dissatisfied, and his work began to be tied up. In 2007, WebEx was acquired by Cisco.
Later, Yuan Zheng, who became Vice President of engineering at Cisco, took more than 40 engineers from the original company to establish their own doors. In 2011, zoom was officially established. At the beginning, all services provided to the organization were free of charge.
Though we make mistakes, our first intention is to benefit the world
“When I was young, I wanted to understand what life is for, but I couldn’t find the answer,” he said in an interview with chuangyeong bang. Later understand that life is to pursue happiness, and create happiness for others, your own happiness can last. So I also follow this principle when setting up a company and strive to make customers happy. ”
Yuan Zheng’s son is in his freshman year, because the epidemic also began to use zoom to teach. “I told my son that I finally understood the significance of my hard work,” Yuan Zheng said in an interview with Forbes. I made these tools for you to use in online classes. ”
The first intention is good, but the more the limelight is tight, the easier it is to have problems.
After the leak broke out, his mother, who lived under the eaves with Yuan Zheng, was always worried about his health. Yuan Zheng hides in his home office every day and only sleeps for two or three hours.
“If I had a choice, I would definitely go back to B2B business, and now the rules of the game are totally different,” he admitted in the interview Yuan Zheng even said that if he could not make zoom the safest platform in the world, he would consider open source zoom code in the next few years.
This situation is a little familiar. “Facebook was founded by me and I will be responsible for what happened on the platform until the last day,” said xiaoza, Yuan Zheng’s most admired entrepreneur, after the Facebook user data leak
I don’t know what Yuan Zheng, who always keeps his original mind on love and career, is thinking at this moment.
Reference link:
https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
https://www.cyzone.cn/article/520637.html
https://zh.wikipedia.org/wiki/%E8%A2%81%E5%BE%81
https://mp.weixin.qq.com/s/Q0i-ddBrVRcOGll8E6ii3A
(statement: This article only represents the author’s point of view, not Sina’s position.)