The Zoom video conferencing service would install itself on Macs bypassing Apple’s regular security, and also promotes that it has end-to-end encryption, but clearly not.
Zoom’s popularity as a video conferencing tool has skyrocketed compared to coronavirus
The increased use of the Zoom video conferencing application and service during the coronavirus epidemic has led to the discovery of more security concerns. In addition to previously sending user data to Facebook, which he corrected, he has now been charged with two separate security concerns.
In one case, it would work around Apple security to install, and in another, it claims end-to-end encryption that it doesn’t have.
Twitter user @ c1truz_, technical manager of the VMRay malware tracking program, reports that the Zoom Mac application installer uses pre-installation scripts and would display a fake macOS system message.
Have you ever wondered how @zoom_us Does the macOS installer work without you having to click install? It turns out that they (ab) use pre-installation scripts, decompress the application manually using a supplied 7zip and install it in / Applications if the current user is in the admin group (no root is not required). pic.twitter.com/qgQ1XdU11M
– Félix (@ c1truz_) March 30, 2020
“It is not strictly malicious, but very shady and definitely leaves a bitter aftertaste”, continues @ c1truz_, “The application is installed without the user giving his [or her] final consent and a very misleading prompt are used to obtain root privileges. “
“[These are the] same tricks that are used by macOS malware, “he concludes.
Appleiphonestop has contacted Zoom regarding the allegation, but has yet to receive a comment. Apple hasn’t publicly commented either, but the charge follows previous issues where Apple forced a macOS update on users to fix a Zoom security issue.
Previously, another security solution in the Zoom app meant that it was possible for websites to turn on users’ cameras without permission.
Initially, Zoom defended this as a deliberate way to facilitate video conferencing for users. He then backed off and said he would remove the functionality.
Before that, however, Apple stepped in and used a forced silent update to macOS, the method by which it typically treats malware.
The Intercept also alleges that Zoom claims to have end-to-end encryption for its videoconference calls, but this is not the case.
Rather than doing end-to-end encryption, where the entire video chat can only be seen by the caller and their recipients, Zoom would do what is known as transport encryption. This makes the connection between Zoom users and servers encrypted, but does not prevent Zoom from seeing calls.
“In fact, Zoom uses its own definition of the term,” says The Intercept, “which allows Zoom to access unencrypted video and audio from meetings itself.”
A Zoom spokesperson confirmed this to The Intercept, replying that “currently, it is not possible to enable E2E encryption for Zoom video meetings”.
“When we use the term” end-to-end “in our other publications, it refers to the encrypted connection from the Zoom endpoint to the Zoom endpoint,” continued the Zoom spokesperson.