Critical Vulnerabilities found in Zoom and Microsoft Teams

May 03, 2021

Amidst the current corona virus pandemic which has hit economies of all countries globally, security researchers came up with critical security vulnerabilities in zoom conferencing software and very recently Microsoft Teams workplace and video chat collaboration platform. These critical vulnerabilities being identified when most of the corporations, enterprises and even some government organizations relying on these platforms may bring us to a point where we are forced to give a thought on the debate whether to rely on these platforms or not.

So, here’s our take on the discussions going around, first let’s talk about some issues in zoom that were identified and responded by the company.

A brief summary of these issues found and summarized are as listed below: -

Security flaws in zoom conferencing software

• Zoom bombing – Many increased cases of eavesdropping in the case of ongoing meetings was reported wherein a hacker could easily guess a short-numbered URL to infiltrate ongoing meetings. Zoom released a set of measures to safeguard the interest of people to safeguard themselves in this link.
• Attendee tracking feature –A very much argued feature was removed from the conferencing utility where they removed the attendee tracking feature which could let the host of the meeting know whether the zoom window was in-focus during a call while screen-sharing, where host could know with help of indicators when the participants window was not active. The official removal of the feature was announced in this link.
• False claims related to using end-to-end encryption – The claims made by the company to state the sessions being encrypted on the client side before reaching other receivers to be decrypted was perplexing. You can read more on this link.
• Finding vulnerabilities in zoom can be a money spinner - In the hype of all these ongoing events, many hackers from all over the globe have taken interest in identifying vulnerabilities like zero-day exploits which they can easily sell in the market for a good amount of money. More details in this link.

Below mentioned list of some public known CVE’s:

1. CVE-2020-11500

2. CVE-2019-13450

Next comes to the more recent discussion on Microsoft Teams platform related to subdomain takeover vulnerability identified by CyberArk.

Microsoft very recently patched a new worm-like vulnerability which could use images being sent in malicious links to impact. The scenario could start with something as easy as sharing a gif or an image to get control of their account.

Basically, Teams would manage your account through use of different sets of JSON web tokens (JWT). The petrifying thing about this vulnerability is that it can spread like a worm.

CyberArk also created a POC video to show this link.

This vulnerability can impact a user gathering many things like your confidential information leading to many serious issues like financial damage, data exfiltration and more.

So, all these issues bring us to the actual discussion of whether or not to use these conferencing utilities. The biggest problem with proprietary software is the organizations always have the control on your data and they will manifest all what’s going on in your computer, what’s in your memory, and many other things. So, the best take we can have from these problems is using programs which consist of end-to-end encryption features. These are some alternatives which we can make use of

• Tox – a good piece of open source instant messaging application volunteered as an open-source project. https://tox.chat/
• Jitsi – one more good alternative to instant messaging and video conferencing solution. https://jitsi.org/

So, concluding this article of ours with a neutral stance, we can say that all this discussion should be boiled down to the threat modeling. A very good discussion on the same can be found on this twitter thread link. The most important thing to keep in mind is the user should think very carefully about their security and privacy. Apart from your organizational stance on whether they ask you to use this proprietary software, you should decide if you want to share more sensitive information, there are open-source and more secure options like tox and jitsi always available.