April 20, 2020
Zoom's Security Woes Were No Secret to Business Partners Like Dropbox
Dropbox privately paid top hackers to find bugs in software by the videoconferencing company Zoom, then pressed it to fix them.
By Natasha Singer and Nicole Perlroth
One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition [1] sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees.
The hackers soon uncovered a major security vulnerability [2] in Zoom's software that could have allowed attackers to covertly control certain users' Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.
Now Zoom's videoconferencing service has become the preferred communications platform [3] for hundreds of millions of people sheltering at home, and reports of its privacy and security [4] troubles have proliferated.
Zoom's defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes -- like elementary school classes and family celebrations -- for which it was never intended.
"I don't think a lot of these things were predictable," said Alex Stamos, a former chief security officer at Facebook [5] who recently signed on as a security adviser to Zoom. "It's like everyone decided to drive their cars on water."
The former Dropbox engineers, however, say Zoom's current woes can be traced back two years or more, and they argue that the company's failure to overhaul its security practices back then put its business clients at risk.
Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work.
As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom's software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom's code -- and troubled by Zoom's slowness in fixing them.
After Dropbox presented the hackers' findings from the Singapore event to Zoom Video Communications, the California company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability [6] only after another hacker publicized a different security flaw with the same root cause.
Zoom's sudden popularity -- nearly 600,000 people downloaded the app on a single day last month -- has opened it to increased scrutiny by researchers and journalists and forced the company to grapple with a rash of security incidents. [7]
Three weeks ago, the F.B.I. warned that it had received multiple reports of trolls hijacking [8] public school classes on Zoom to display pornography and make threats -- malicious attacks known as "Zoombombing." [9]
Last week, Vice's Motherboard blog reported that security bug brokers were selling access -- for $500,000 -- to critical Zoom security flaws [10] that could allow remote access into users' computers. Separately, hackers put up more than half a million Zoom users' passwords and user names for sale on the so-called dark web. [11]
On April 1, Eric S. Yuan, Zoom's chief executive, said the company would devote all of its engineering resources for the next 90 days to shoring up security and privacy. [12] Last week, the company announced a revamped reward program for hackers who find security flaws in its code. Mr. Stamos said Zoom was also working on design changes to reduce the potential risks of security flaws and abuses like Zoombombing.
In a statement, Zoom said it appreciated "the researchers and industry partners who have helped -- and continue to help -- us identify issues as we continuously seek to strengthen our platform." It added that the company was "proactively working to better identify, address and fix issues."
In a statement, Dropbox said it was "grateful to Zoom for being the first to participate" in its vendor bug bounty program. It added that Dropbox itself used the videoconferencing service for internal meetings and that Zoom had become "a critical tool in keeping our teams connected."
Before Zoom's initial public offering in 2019, Dropbox made a $5 million investment in the company. Separately, Bryan Schreier, a Dropbox director, is a partner at Sequoia Capital, which made a $100 million investment in Zoom [13] before the initial offering.
Even critics acknowledge that Zoom remains the most user-friendly videoconferencing service on the market and has become a crucial communications tool during the pandemic. Security researchers also praised Zoom for improving its response times -- quickly patching recent bugs and removing features that presented privacy risks [14] to consumers.
Zoom is hardly the first tech company whose sudden surge in popularity exposed its problems. Microsoft, [15] Twitter, [16] Google, [17] Facebook [18] and Uber [19] have all settled federal charges related to consumer security or privacy.
What is different about Zoom is the unusual role that another tech company -- Dropbox -- played in pushing the videoconferencing service to address its security weaknesses. Details on Dropbox's role have not been publicly reported before.
Many companies, including Zoom, have "bug bounty programs" in which they pay hackers to turn over flaws in the company's own software code. But Dropbox, which has integrated its file-sharing services with Zoom, did something novel.
Starting in 2018, Dropbox privately offered to pay top hackers it regularly worked with to find problems with Zoom's software. It even had its own security engineers confirm the bugs and look for related problems before passing them on to Zoom, according to the former Dropbox engineers.
Hackers have reported several dozen problems with Zoom to Dropbox, the former employees said. These included moderate problems, like the ability for attackers to take over users' actions on the Zoom web app, and more serious security flaws like the ability for attackers to run malicious code on computers using Zoom software. Dropbox also put in its own controls to ensure that its integration with Zoom did not present risks to Dropbox users.
Zoom's reputation for security weaknesses began to spread within Dropbox, the former engineers said.
As part of an annual companywide hacking competition in 2018, Dropbox engineers created a knockoff of Zoom -- they called it "Vroom" -- and challenged employees to hack it. The Dropbox employees successfully obtained Vroom meeting codes, which would have allowed them to crash hypothetical Vroom meetings. The idea of the exercise, former Dropbox employees said, was to teach Dropbox engineers to avoid making some of the security mistakes that Zoom had made.
Some former employees said Dropbox had also prompted Zoom to introduce additional security measures, including a virtual waiting room feature that now allows meeting organizers to vet participants before letting them into a videoconference.
"I have no doubt that Zoom was better able to address the current 'zoombombing' craze thanks to Dropbox's early" involvement, Chris Evans, a former head of security at Dropbox, wrote in an email to a reporter.
Dropbox employees weren't the only ones finding problems. In late 2018, David Wells, a senior research engineer at Tenable, a security vulnerability assessment company, uncovered a serious flaw in Zoom that would have allowed an attacker to remotely disrupt a meeting -- without even being on the call. Among other things, Mr. Wells reported that an attacker could take over a Zoom user's screen controls, enter keystrokes and covertly install malware on their computer.
Mr. Wells also found the vulnerability allowed him to post messages in Zoom chats under other people's names and kick people off meetings. Mr. Wells, who reported his findings directly to Zoom, said Zoom had quickly patched the flaws.
In early 2019, Dropbox sponsored HackerOne Singapore, [20] the live hacking competition. To put pressure on Zoom to take security more seriously, former Dropbox engineers said, Dropbox included the videoconferencing service among companies for which it offered bug bounties at the event.
Even before the event began, one hacker reported a major vulnerability to Dropbox that could have allowed attackers to pose as Zoom over Wi-Fi and secretly observe users' video calls, the former Dropbox engineers said.
Soon after, the two Australian hackers, an engineer and an executive at Assetnote, a security company, uncovered the flaw [21] that would have allowed an attacker to covertly take complete control of certain computers running Apple's macOS, according to a blog post published by the hackers.
The discovery was particularly jarring because attackers could have used the Zoom vulnerability to gain access to the deepest levels of a user's computer.
But Zoom did not quickly address the flaw. Instead, the company waited more than three months until a third researcher [22] independently uncovered and publicized a separate, less serious issue, with the same underlying cause.
Mr. Yuan, Zoom's chief executive, subsequently wrote a blog post [23] in July apologizing for the delay.
"We misjudged the situation and did not respond quickly enough -- and that's on us," Mr. Yuan wrote. He added: "We take user security incredibly seriously."
[1] https://www.hackerone.com/blog/hacking-dropbox-live-heart-singapore-h1-65
[2] https://blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/
[3] https://www.nytimes.com/2020/03/17/style/zoom-parties-coronavirus-memes.html
[4] https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html
[5] https://www.nytimes.com/2018/08/01/technology/facebook-security-alex-stamos.html
[6] https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/
[7] https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html
[9] https://www.nytimes.com/2020/03/20/style/zoombombing-zoom-trolling.html
[10] https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000
[13] https://techcrunch.com/2017/01/17/sequoia-invests-100-million-in-zoom-video-conferencing-service/
[14] https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html
[20] https://www.hackerone.com/blog/hacking-dropbox-live-heart-singapore-h1-65
[21] https://blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/
[23] https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/