A New York Times report outlines how the file-hosting service Dropbox became worried about the security of the video-conferencing app Zoom which has become wildly popular during the coronavirus pandemic as many worldwide are forced to work from home.
Zoom has recently been trying to improve its security measures following multiple media reports of privacy breaches, including a phenomenon known as “Zoom bombing” in which unauthorized users gain access to private Zoom calls.
Former engineers at Dropbox say that that Zoom’s vulnerabilities can be traced back a couple of years or more, saying that the company’s failure to improve its security practices immediately put its business clients at risk
“Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work,” reads the report.
“I don’t think a lot of these things were predictable,” said Alex Stamos, a former chief security officer at Facebook who recently signed on as a security adviser to Zoom. “It’s like everyone decided to drive their cars on water.”
Dropbox employees were not the only ones investigating Zoom’s security issues, the New York Times writes:
Dropbox employees weren’t the only ones finding problems. In late 2018, David Wells, a senior research engineer at Tenable, a security vulnerability assessment company, uncovered a serious flaw in Zoom that would have allowed an attacker to remotely disrupt a meeting — without even being on the call. Among other things, Mr. Wells reported that an attacker could take over a Zoom user’s screen controls, enter keystrokes and covertly install malware on their computer.
Mr. Wells also found the vulnerability allowed him to post messages in Zoom chats under other people’s names and kick people off meetings. Mr. Wells, who reported his findings directly to Zoom, said Zoom quickly patched the flaws.
Dropbox began to privately offer rewards to security researchers to find holes in Zoom’s software code, as well as that of a few other companies. The former Dropbox engineers said “they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them,” explains the report.
After presenting these holes to the company, Zoom took more than three months to fix the bugs, patching the vulnerabilities only after another hacker publicized a different security flaw with the same root cause.