Zoom App security sucks

  1. Zoom App security sucks says user after Zoom lets a school in Chile register using his email

Only weeks after Zoom App developers proudly claimed “no more Zoombombing” and “Zoom is Secure” through websites and news magazines, there has been a multitude of Zoombombing or Zoomraiding attacks. In all the cases, unknown hackers zoombombed into meetings and insulted the attendees with racial slurs or NSFW images/videos.

But this one takes the cake! Zoom App allowed a school in Chile to register using an email ID of a Cloudflare employee without his knowledge. Now, the employee has full admin control of the school Zoom account. This happened to Kenton Varda who works with Cloudflare and is a LAN fan. One fine day he was surprised to find that Zoom had used his email id without taking his permission for setting up a Zoom account for a school in Chile.

The school did not verify the email after allowing the school to register. The normal practice is that a company sends a verification email to the user wanting to register for any service. The service is started only after verification of the email. However, Zoom seems to be operating in a parallel universe where there are no cybersecurity issues.

Due to this error by Zoom, Kenton had access to the whole school’s Zoom admin account. He could access details of students and other teachers which could have easily been used by any cybercriminal to hack, stalk, and harass the school children and the teachers.

There is no excuse for Zoom not verifying Kenton’s email with him before allocating the admin powers. But Kenton’s email seems to be the culprit here. His email id is [email protected] which means temporary in Spanish. Spanish users around the world use temporal as a placeholder address.

Kenton was chastised by the Twitter users and security researchers community for not making a responsible disclosure. He even apologized to Zoom and Alex Stamos, a security researcher.

However, it is a serious security breach (not a vulnerability ) on part of Zoom to add his email id as Admin without verifying it with him. What do you think?


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments