Zoom’s macOS Installer & Unencrypted Video Calls Raises Another Security Issue
The cloud video conferencing app Zoom is experiencing a significant increase in the number of its installations on various devices due to the COVID-19 pandemic. The teams, businesses are being operated from home and Zoom is playing an important role in connecting them.
Recently, Zoom was exposed to sending the user data to Facebook which can be used for advertisement targeting by the third-parties. This code was found in its iOS app and it was removed later when the news went viral all over.
While this issue was resolved, there are two new issues that are now found in the macOS version of Zoom. The first one is with the macOS installer of Zoom which abuses the preinstallation scripts and displayed a crooked macOS system message.
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020
He [@c1truz_] also said that this is not totally malicious but seems shady as the app is installed without the user confirming it for the final time before installation and a misleading prompt is used to take over the root access of the device.
Zoom has not said anything about this shady preinstallation script, not even Apple did so. But it is being said that Apple forced updates for macOS to get rid of the Zoom security issue.
Secondly, Zoom claims to encrypt the users’ call, where the chat screen can only be seen by the caller and its recipients. Zoom is only doing transport encryption and this lets Zoom to see the calls too.
As per the spokesperson of Zoom, it is not yet possible to enable end to end encryption for Zoom video meetings.
