Pixel Envy

Written by Nick Heer.

Zoom’s Security Problems Were Common Knowledge for Years to Business Partners Like Dropbox

Eric S. Yuan, Zoom’s CEO and founder, in a statement published to the company’s blog earlier this month:

First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

“Enterprise customers” who completed “exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom” would, presumably, include Dropbox. The two companies promised tight integration and frequently promoted their partnership.

But, while the two companies were publicly demonstrating their collaborative efforts, Dropbox was privately shocked by the number of vulnerabilities in Zoom’s software — something they knew because they were actively finding security holes and pushing Zoom to fix them.

Natasha Singer and Nicole Perlroth, New York Times:

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees.

The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

[…]

Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work.

Imagine how bad Zoom’s security would be if all those enterprise customers had not worked so diligently on, as Yuan claimed, “exhaustive security reviews”.