Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 1

Zoom.us & The Real Cybersecurity Problem

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Morning, everybody. How you doing today on this episode of the show. We're going to talk about zoom in their recent security troubles. I know what you're thinking. You're like enough already. I have had enough of this Zoom thing because he has been plastered all over the technology news this week and I don't blame you for being fed up but I think we're going to do a quick recap of the issue just in case you haven't heard about it.

Then I'm going to dive into what it really means because I think there's an underlying lesson for all of us to learn here. Now, if you've been hiding under a rock or more appropriately at the pool or at the beach taking some much-needed recharge time good for you. But here's a quick recap of what went on a researcher published after a 90-day disclosure.

A vulnerability in the zoom meetings client for Mac. Now Zoom is one of the leading video conferencing software solutions. They recently IPO it and it got really solid Financial 50,000 paying customers, which is a ton of users not to mention the free version has a ton of users as well as essentially.

It's a chat tool. It's interactive video. Pressing tool to webinar tool and its you know better than the alternatives for the most part and it's the new player in this field to a lot of companies are jumping on board pretty straightforward butter building they had and they handled the situation poorly and I'll link to a bunch of stuff that you can read that out on your own cuz I want to rehash it here.

But especially the security vulnerability was the following on Max. They had a local web server running. So on localhost on a specific Port Zoom was actually running a web server. This web server could take commands and like launching meeting reinstall the client that kind of thing because it was all designed to get around a security warning in Safari.

Now anytime you try to launch an external application in Safari Safari pops up with a dialog box for the user to provide consent. It says this webpage is trying to launch Zoom or Spotify or whatever the case maybe do you want to allow it or tonight? Sure, that the browser doesn't unwittingly cross into the operating system space and on your local system.

So it's a very good property user because you go. Wait a minute. Is this what I want from web browser? I want to interacting with my o s in the following manner Zoom found that was a friction point for users. And as a usability feature, they wanted to eliminate this dialogue that was put in place to protect users by the manufacturer of the browser and the operating system.

driving to that in the second half So what they did was they have this Local web browser running because now when a webpage was trying to open up a meeting they were trying to launch an application. They were calling out to another website and there was some interesting work done in the background to handle that cross-site referencing and put basically it works so that when you clicked on a link it launched to the webpage and popped up in the application itself without providing that additional prop remember this is all to avoid one click.

Turned out that even if you uninstall the application this web server continue to run which meant that if you didn't have the client you got a meeting request it would actually download in the background and load up the client again all in the name of usability. You can see there's some issues here.

There was an uproar after initially Miss stepping a few times on this the way to handle the initial disclosure from the researcher the way they handle the public disclosure. They finally backtracked and actually fix the issue. So Step 1 update your Mac client for zoom and you don't have to worry about this anymore.

What are some really interesting was in the discussion around it was around the technicalities of it. Is this a good move was a smart this down the other thing and let's just say from a security perspective. This was not a great pattern but it's not unique by any stretch of the imagination.

A lot of your desktop applications are actually running web servers locally. And that's a result of microservices development. That's a result of trying to get around security issues with the browser as a result of a number of things but for me the biggest result for the biggest reason why this is happening, is it a clear indication that we in the security Community continue to fail to work with application teams? Because when is zoom under building came out I picture the meeting in my head and I guarantee you this is almost word-for-word what was happening.

We got user reports the saying that when they try to open up a safari of whether or not they want to actually open Zoom before they even ever get into our products and uses are confused or what do we do? What's a ball we can try to eliminate that what's the what's a root cause we do a little technical digging you driving you say what wait a minute it's because it's trying to launch an external application.

If we're on our own web server locally, then we will be launching a simply be calling another web page. We could eliminate that and make a much smoother experience for our customers. Meaning the customers can click the link and just push right on through every one of the table be like that's a better customer experience for the intended intended action, which is launching a meeting from their calendar or from their email or wherever they actually got that invite from right going through the browser to watch it out.

It's a pretty Central uncommon usability Patterson. Somebody tweeted you a link privately through a DM. They emailed you the text you whatever the case maybe you'll be able to get through there pretty straightforward. Tina Breeze, let's do it. They pushed out of production and hate when a man has webs over here.

Would it be great if you didn't have the client currently installed we can actually push that down. Yeah, we can do a whole bunch of others. Well, it'll be great. What didn't come up in that conversation and I guarantee this happened or didn't happen was that nobody popped up and said wait a minute.

Why is that dialogue there in the first place? What are the security challenges around this approach or even if they did and it's extremely rare that they would have had this conversation the security concerns got overridden because of the usability concerns because of the friction in the user experience and I did it for the product management perspective.

You want to reduce it as many fiction points as possible. You want to smooth use their first experience but security is part of that because you see if I send you to a web page that loads an image from localhost in this port I can start to manipulate your Zoom client, right and zoom is pretty active about telling people who uses Zoom you go to their page and say, hey hear all the customers at love zoom zoom in the or else you can see what companies are using it and hear all of a sudden you got a pretty easy scenario to start men.

Deleting people's access. Does this the end of the world? Absolutely not in the worst case scenario. Your Zoom client would pop up your video would be on and the audio would be on and you might not notice it right away, but you would probably find it up pretty quick cuz your light is still on on your webcam and the application is now running an active.

So you don't keep Zoom open all day. You'll be like why is it open? If you do keep it open all day, you might not notice for a while so they could be the intrusion of I'm looking into your work space and that's serious that significant at the security and a privacy violation.

But the odds of that happening the odds of that being successful are pretty low. So there's no reason to Chicken Little this but there is this concern that security was not part of this process because if there's a security advocate in the room the very fact that you're breaking a fundamental Security Control in the browser should have been flagged one the fact that you're now running a web server should have been flagged to hey, wait a minute.

Why are we running an authenticated web browser that has to do a whole bunch of backflips to make this stuff work? Always thinks these two things should have been red flags. Let alone the fact that the technology side of the developer should have been waiting to do we really want to run a web server.

That's a new set of operational overhead that we need to account for me to maintain that we need to patch it. We need to do all these other things and odds are if they made this choice in the first place. They probably weren't patching it or working on this server that aggressively so there could be other security issues down a lot but for me while the zoom Hunter build a game a huge amount of popularity and visibility and the bigger issue here is that lack of security discussion on the development team because from a security perspective, it's a pretty clear.

No, but I ain't based on my experience the amount of Grey. I got my hair in my beard. You can probably tell I've been around the block a few times that discussion rarely ever happens. And that is the real problem here and it's coming up time and time again, we cannot continue to have security off on the side being a special thing that gets applied maybe the beginning maybe the end and ignored throughout that leads to really bad security out.

Even if we're saying you don't hey, we take security. Seriously. We talked to them twice during the time of the universe 6 month project. That's not serious security. That's not effective security. But sadly that is the state of security in most organizations. What do you think? Let me know who me up online at Mark and CIA in the comments down below and as always by email me at Mark n.

C. I look forward to talk to you about this issue. Hopefully laying the zoom one to rest and talking with the bigger issue. I will see you online and see you in the next episode of the show. Morning, everybody. How you doing today on this episode of the show.

We're going to talk about zoom in their recent security troubles. I know what you're thinking. You're like enough already. I have had enough of this Zoom thing because he has been plastered all over the technology news this week and I don't blame you for being fed up but I think we're going to do a quick recap of the issue just in case you haven't heard about it.

Then I'm going to dive into what it really means because I think there's an underlying lesson for all of us to learn here. Now, if you've been hiding under a rock or more appropriately at the pool or at the beach taking some much-needed recharge time good for you. But here's a quick recap of what went on a researcher published after a 90-day disclosure.

A vulnerability in the zoom meetings client for Mac. Now Zoom is one of the leading video conferencing software solutions. They recently IPO it and it got really solid Financial 50,000 paying customers, which is a ton of users not to mention the free version has a ton of users as well as essentially.

It's a chat tool. It's interactive video. Pressing tool to webinar tool and its you know better than the alternatives for the most part and it's the new player in this field to a lot of companies are jumping on board pretty straightforward butter building they had and they handled the situation poorly and I'll link to a bunch of stuff that you can read that out on your own cuz I want to rehash it here.

But especially the security vulnerability was the following on Max. They had a local web server running. So on localhost on a specific Port Zoom was actually running a web server. This web server could take commands and like launching meeting reinstall the client that kind of thing because it was all designed to get around a security warning in Safari.

Now anytime you try to launch an external application in Safari Safari pops up with a dialog box for the user to provide consent. It says this webpage is trying to launch Zoom or Spotify or whatever the case maybe do you want to allow it or tonight? Sure, that the browser doesn't unwittingly cross into the operating system space and on your local system.

So it's a very good property user because you go. Wait a minute. Is this what I want from web browser? I want to interacting with my o s in the following manner Zoom found that was a friction point for users. And as a usability feature, they wanted to eliminate this dialogue that was put in place to protect users by the manufacturer of the browser and the operating system.

driving to that in the second half So what they did was they have this Local web browser running because now when a webpage was trying to open up a meeting they were trying to launch an application. They were calling out to another website and there was some interesting work done in the background to handle that cross-site referencing and put basically it works so that when you clicked on a link it launched to the webpage and popped up in the application itself without providing that additional prop remember this is all to avoid one click.

Turned out that even if you uninstall the application this web server continue to run which meant that if you didn't have the client you got a meeting request it would actually download in the background and load up the client again all in the name of usability. You can see there's some issues here.

There was an uproar after initially Miss stepping a few times on this the way to handle the initial disclosure from the researcher the way they handle the public disclosure. They finally backtracked and actually fix the issue. So Step 1 update your Mac client for zoom and you don't have to worry about this anymore.

What are some really interesting was in the discussion around it was around the technicalities of it. Is this a good move was a smart this down the other thing and let's just say from a security perspective. This was not a great pattern but it's not unique by any stretch of the imagination.

A lot of your desktop applications are actually running web servers locally. And that's a result of microservices development. That's a result of trying to get around security issues with the browser as a result of a number of things but for me the biggest result for the biggest reason why this is happening, is it a clear indication that we in the security Community continue to fail to work with application teams? Because when is zoom under building came out I picture the meeting in my head and I guarantee you this is almost word-for-word what was happening.

We got user reports the saying that when they try to open up a safari of whether or not they want to actually open Zoom before they even ever get into our products and uses are confused or what do we do? What's a ball we can try to eliminate that what's the what's a root cause we do a little technical digging you driving you say what wait a minute it's because it's trying to launch an external application.

If we're on our own web server locally, then we will be launching a simply be calling another web page. We could eliminate that and make a much smoother experience for our customers. Meaning the customers can click the link and just push right on through every one of the table be like that's a better customer experience for the intended intended action, which is launching a meeting from their calendar or from their email or wherever they actually got that invite from right going through the browser to watch it out.

It's a pretty Central uncommon usability Patterson. Somebody tweeted you a link privately through a DM. They emailed you the text you whatever the case maybe you'll be able to get through there pretty straightforward. Tina Breeze, let's do it. They pushed out of production and hate when a man has webs over here.

Would it be great if you didn't have the client currently installed we can actually push that down. Yeah, we can do a whole bunch of others. Well, it'll be great. What didn't come up in that conversation and I guarantee this happened or didn't happen was that nobody popped up and said wait a minute.

Why is that dialogue there in the first place? What are the security challenges around this approach or even if they did and it's extremely rare that they would have had this conversation the security concerns got overridden because of the usability concerns because of the friction in the user experience and I did it for the product management perspective.

You want to reduce it as many fiction points as possible. You want to smooth use their first experience but security is part of that because you see if I send you to a web page that loads an image from localhost in this port I can start to manipulate your Zoom client, right and zoom is pretty active about telling people who uses Zoom you go to their page and say, hey hear all the customers at love zoom zoom in the or else you can see what companies are using it and hear all of a sudden you got a pretty easy scenario to start men.

Deleting people's access. Does this the end of the world? Absolutely not in the worst case scenario. Your Zoom client would pop up your video would be on and the audio would be on and you might not notice it right away, but you would probably find it up pretty quick cuz your light is still on on your webcam and the application is now running an active.

So you don't keep Zoom open all day. You'll be like why is it open? If you do keep it open all day, you might not notice for a while so they could be the intrusion of I'm looking into your work space and that's serious that significant at the security and a privacy violation.

But the odds of that happening the odds of that being successful are pretty low. So there's no reason to Chicken Little this but there is this concern that security was not part of this process because if there's a security advocate in the room the very fact that you're breaking a fundamental Security Control in the browser should have been flagged one the fact that you're now running a web server should have been flagged to hey, wait a minute.

Why are we running an authenticated web browser that has to do a whole bunch of backflips to make this stuff work? Always thinks these two things should have been red flags. Let alone the fact that the technology side of the developer should have been waiting to do we really want to run a web server.

That's a new set of operational overhead that we need to account for me to maintain that we need to patch it. We need to do all these other things and odds are if they made this choice in the first place. They probably weren't patching it or working on this server that aggressively so there could be other security issues down a lot but for me while the zoom Hunter build a game a huge amount of popularity and visibility and the bigger issue here is that lack of security discussion on the development team because from a security perspective, it's a pretty clear.

No, but I ain't based on my experience the amount of Grey. I got my hair in my beard. You can probably tell I've been around the block a few times that discussion rarely ever happens. And that is the real problem here and it's coming up time and time again, we cannot continue to have security off on the side being a special thing that gets applied maybe the beginning maybe the end and ignored throughout that leads to really bad security out.

Even if we're saying you don't hey, we take security. Seriously. We talked to them twice during the time of the universe 6 month project. That's not serious security. That's not effective security. But sadly that is the state of security in most organizations. What do you think? Let me know who me up online at Mark and CIA in the comments down below and as always by email me at Mark n.

C. I look forward to talk to you about this issue. Hopefully laying the zoom one to rest and talking with the bigger issue. I will see you online and see you in the next episode of the show.