How secure are fast growing apps?
Published 07/04/2020
How secure are fast growing apps?
Everyone is using Zoom. Or if they’re not, they’re on Houseparty. The coronavirus-era has strong-armed everyone into reinventing their work and social lives. Whilst we’ve long been able to video call each other over Skype, FaceTime, WhatsApp, Google Hangouts (to name a few), the use of the aforementioned has simply sky rocketed.
The statistics are quite something. Zoom’s founder recently commented that the number of daily meeting participants had leapt from 10 million at the end of December to more than 200 million by the end of March. Houseparty, considered the cooler younger sibling, has also been a breakout hit. In the last week of March Epic Games, the app’s owner, reported 2 million downloads worldwide, compared with around 130,000 the same week a month ago.
What lessons can we learn from the overnight growth of apps and the development prioritisation to get there?
Growth as extreme as Zoom and Houseparty doesn’t come without pitfalls. Those that are familiar with high growth environments, will know that the quest for customer acquisition and business growth, often comes with trade-offs. Scaling businesses have finite engineering resource. Immediate concerns get prioritised. Nice-to-haves and hypotheticals get left by the wayside. In these types of environments, it’s almost inevitable that balls get dropped.
Zoom in particular has had a torrid time of it in the last few weeks. Former Facebook and Yahoo security chief Alex Stamos observed from the sidelines: "This is going to get worse, as the entire InfoSec world descends on a spectacularly complicated product with lots of attack surface and some sketchy design trade-offs.” Whilst Zoom has managed to implement fixes for many of the identified vulnerabilities, one gets the impression that the company is engaged in a high profile game of security whack-a-mole, rather than building a genuinely secure product. To their credit, they’ve managed to fix some of the more eye-opening vulnerabilities in short order, but even so, trust will be hard to win back.
UNC path injection vulnerability
One such vulnerability was discovered by Anglo-American cybersecurity training firm Hacker House. They found that the Zoom Windows client was vulnerable to UNC path injection. The client chat feature would automatically convert a Windows networking path into a clickable link in the chat message, which if clicked would attempt to connect to the remote site using the SMB file-sharing protocol. This in turn would expose the user's login name and their NTLM password hash - relatively easy to crack with free tools like Hashcat or DeHashed. The same UNC vulnerability could also be used to launch a remote executable file. This has been fixed but has raised questions about the exposure of data to malware attacks.
Use of preinstallation scripts
Another, recently fixed, but questionable aspect of the application’s design architecture relates to the abuse of preinstallation scripts. Prior to the update the Zoom installer invoked the deprecated AuthorizationExecuteWithPrivileges API to perform various privileged installation tasks. The upshot being that a local attacker or piece of malware might be able to (unbeknownst to the user) escalate their privileges to root. "This affords malware the ability to record all Zoom meetings, or simply spawn Zoom in the background to access the mic and webcam at arbitrary times" observed Patrick Wardle, a renowned hacker.
How secure are new app platforms?
There were claims that Zoom calls were end-to-end encrypted, when actually Zoom servers have access to decrypted data. There are now multiple online forums that coordinate Zoom-bombings - jumping into random Zoom calls that don’t have password protection. Hackers have been able to automate the guessing of Meeting IDs that consists of 9 to 11 digits. There’s also the unclear privacy policy that may or may not mean Zoom sells on user data to third parties.
Houseparty has recently been accused of data breaches, that are as yet unfounded, but even so, we think that Zoom provides a case study in scaling and security for engineers of all levels.
Technical competence and a knowledge of exploits (like the above) is obviously important, but even more so is the will to place security higher up the pecking order. “Move fast and break things” may have been the mantra of Mark Zuckerberg but taking a big picture view to get things right in the first place, can save unnecessary reputational harm further down the line. It seems to us that in an effort to create as frictionless a product as possible, Zoom made some critical design errors which have come home to roost. An engineering team with the foresight to see the implications of these design decisions at scale is one thing, but for them to be an empowered voice in an organisation is quite another.
Browse Our Latest Tech Roles
Current Vacancies
Enquire NowSimply provide us your contact details and we will be in touch |
Empiric is a dynamic technology and transformation recruitment agency specialising in data, digital, cloud, security and transformation. We supply technology and change recruitment services to businesses looking for both contract and permanent professionals.
Empiric are committed to changing the gender and diversity imbalance within the technology sector. In addition to Next Tech Girls we proactively target skilled professionals from minority groups which in turn can help you meet your own diversity commitments. Our active investment within the tech community allows us to engage with specific talent pools and deliver a short list of relevant and diverse candidates. For more information contact 02036757777 To view our latest job opportunities click here. |
