Zoom took months to repair a flaw that would allow hackers to take complete control of a computer, even after multiple researchers and clients reported the vulnerability to the company
Last year, Zoom took three months to fix a security flaw that allowed hackers to potentially gain control over certain user's computers running Apple's macOS, according to a report from the New York Times on Monday.
Zoom fixed and addressed the issue last July, and at the time CEO Eric Yuan acknowledged that the company did not act fact enough.
The flaw was discovered by security researchers who participated in a hackathon sponsored by Dropbox last year.
Zoom's current explosion in popularity has uncovered numerous security and privacy issues with the platform, and Zoom has committed to fixing those over the next 90 days.
This new report shows that some business customers did have reservations about Zoom's security before its current onslaught of issues.
Yuan told Business Insider in a recent interview that Zoom's business customers still trust the product, saying "enterprise customers have been working together with us for a long time, they trust us, and we just keep everything open and transparent."
Zoom said in a statement that it is doubling down on security as outlined in its 90-day plan and that "We appreciate the researchers and industry partners who have helped — and continue to help — us identify issues as we continuously seek to strengthen our platform."
Last year, Zoom took three months to fix a security flaw that allowed hackers to potentially gain control over certain user's computers running Apple's macOS, according to a report from The New York Times on Monday.
The issue, which Zoom addressed and fixed last July, was brought to the company's attention from multiple security researchers who participated in a hackathon hosted by Dropbox, the report said. Dropbox, which is a Zoom customer and partner, then presented the findings to Zoom, which only fixed the issues after another researcher found the same flaw.
In early 2019, Dropbox sponsored HackerOne Singapore, a live hacking competition. Two employees of the company Assetnote, an Australian security company, attended the conference and discovered the flaw that that could allow an attacker to covertly take control of certain computers running Apple's macOS. However, Zoom didn't take steps to fix the flaw until a third, independent security researcher found another flaw with the same underlying issue.
Zoom fixed the issue in July 2019, and CEO Eric Yuan acknowledged then that the company had not acted fact enough. "We misjudged the situation and did not respond quickly enough — and that's on us. We take full ownership and we've learned a great deal," Yuan wrote in a blog post at the time.
The engineer and executive from Assetnote who discovered the flaw detailed their process in a blog post published after Zoom fixed the issue.
This is just one of the security and privacy issues Zoom faced even before its current onslaught of issues. The New York Times report details other security vulnerabilities that were brought to Zoom's attention in the past, which the company later fixed.
Thus far, Zoom has said its current issues stem from the fact that the video conferencing tool is intended for business users who have their company's IT departments to rely on. Its new consumer users, including students and teachers, did not have that kind of support, which led to things like 'Zoombombing' incidents.
That coupled with the fact that Zoom's user base ballooned to 200 million at the end of March from 10 million in December, created a situation that Zoom has said it never anticipated.
Yuan has said that Zoom's business customers still trust the product. In a recent interview with Business Insider Yuan said "enterprise customers have been working together with us for a long time, they trust us, and we just keep everything open and transparent."
While that may be true, the New York Times report shows that some of Zoom's enterprise customers previously had reservations about Zoom's security. And the report shows a pattern of not prioritizing some security or privacy vulnerabilities, even when brought to the company by partners like Dropbox.
Dropbox took multiple steps to push Zoom to improve its security settings, the report said. In 2018, Dropbox used its own bug bounty program, which many companies have to uncover flaws within its own software, to ask hackers to find problems with Zoom's software, the report said.
In a statement, Dropbox told Business Insider: "In 2018, we piloted a program to include strategic partners and vendors in our bug bounty program — under this program Dropbox pays out rewards to security researchers who identify vulnerabilities in our partners' platforms."
The file sharing company added that they were "grateful to Zoom for being the first to participate in this program," and that they use Zoom "every day to get work done, and in these unprecedented times, it has become a critical tool in keeping our teams connected."
Zoom said it is taking serious steps to improve the privacy and security of its platform now. This is after facing numerous critiques in recent weeks, amid its newfound popularity.
It has stopped development of any new features, and had outlined a 90-day plan to address privacy and security. As part of that plan, it has hired security experts like Alex Stamos, Facebook's former security chief. It has also revamped its bug bounty program for hackers who find security flaws in its code.
"Zoom takes user privacy, security and trust very seriously. We appreciate the researchers and industry partners who have helped – and continue to help – us identify issues as we continuously seek to strengthen our platform. As part of our 90-day plan announced on April 1, we are doubling down on our commitment to security and we are proactively working to better identify, address, and fix issues," Zoom said in statement.