- Zoom abuses the installer flow on MacOS to bypass permissions dialogs (source)
- Zoom sends identifying device info to Facebook, even when users don't have a Facebook account (source) (fixed)
- A bug in Zoom sent identifying information (including email addresses and profile pictures) of thousands of users to strangers (source)
- Zoom claims that meetings are end-to-end encrypted in their white paper and marketing materials, but meetings are only encrypted in transit, and are available in plaintext to Zoom servers and employees. (source)
zoomAutenticationToolcan be used to escalate privileges of arbitrary scripts/programs (source)
- Another method of privilege escalation involving the
AuthorizationExecuteWithPrivilegesAPI during the installation process (source)
- Zoom browser extension grants unnecessary access to full browser history (source)
- Zoom browser extension has unrestricted TCP access on 0.0.0.0 (source)
- Zoom MacOS client runs an insecure local web server to bypass standard app URI flows. This web server can be abused to initiate video/audio recording without the user's consent (source)
- Zoom Windows client can be used to send SMB network share credentials to an attacker (source)
- Zoom MacOS client specifically disables library validation, allowing attacker libraries to be loaded into its address space (source)
- Zoom lies about using AES-256 encryption. In fact, Zoom uses AES-128 (which is less secure) in ECB mode (which is dangerously insecure) (source) (fixed)
- A bug in Zoom routed calls from North America and Europe through Chinese datacenters, against Zoom's promise that meetings are only routed through the jurisdictions of the meeting's participants (source)
- Facebook sign-in can be added to any account without email confirmation, allowing complete control over the account to an attacker (source) (fixed)
- The Zoom client uses a number of outdated, vulnerable libraries (source)
- Zoom uses a constant passphrase and IV when encrypting Apple Airplay screen shares (source)
- Zoom's in-development "true" end-to-end encryption will only be available for corporate clients, so that Zoom can continue surveillance of free users (source)
- An attacker can perform arbitrary file writes to lead to an RCE by abusing the message schema for sending animated GIFs (source) (fixed)
- An attacker can similarly perform arbitrary file writes/RCE by abusing the message schema for code snippets (source) (fixed)
- A zero-day in the Zoom Windows client allowed RCE when a user starts video in an attacker-controlled call (source)
- Low meeting password entropy, combined with a lack of rate-limiting, makes it incredibly easy to brute force meeting passwords (source)
Zoom devices include smart TVs, tablets, and smart cameras. Most of these devices include cameras and microphones and are typically installed within line of sight and earshot of sensitive conversations.
- Zoom devices (such as smart cameras and tablets) downloaded unsigned firmware updates over HTTP, leaving them vulnerable to man in the middle attacks (fixed)
- Zoom devices run Linux 2.6.2, with 600+ reported vulnerabilities as of March 2020
- Zoom device bootloader is unlocked, allowing root shell access during boot
- Root password is set to default
These Aren't New
There's a common misconception that Zoom's recent explosion in popularity has left them unfairly blindsided by unreasonable scrutiny from the security community. This isn't true. Zoom has spent years building a reputation within the security community for being unresponsive to vulnerability reports, stingy on paying out bug bounties, and in general not showing a strong commitment to security. While recent comments from CEO Eric Yuan are reassuring and we hope this marks a shift in Zoom's priorities, they are not victims - these vulnerabilities are a product of their own negligence, and nothing else.
If you find any reports of vulnerabilities, past or present, that are not listed above please leave a comment below.
Thanks to @lrvick, @jnaulty, @matthieuxyz, @MacroChip, and the #! community for help compiling this list.