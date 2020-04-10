Zoom, the videoconferencing service that exploded in the vacuum created by the COVID-19 epidemic, was revelated by a series of privacy and security breaches in the last days. Now researchers have identified such a defect in a feature marketed specifically as a way to secure meetings.

The feature, called a waiting room, allows meeting hosts to keep potential participants in a digital queue waiting for approval. Healthcare professionals could use it to organize multiple telehealth meetings in a row, and hiring managers could conduct stacked video interviews, the company suggested in a February blog.

As users have encountered problems with zoombombing – where participants interrupt and derail meetings, often using offensive images or racist slurs – the company pointed out the waiting room as a way to protect yourself from this type of intrusion.

But security researchers examining the desktop client for vulnerabilities have found that Zoom servers would automatically send a live video stream to users in the meeting waiting room, even if they had not yet been approved. to join the person organizing the meeting. These users also received the meeting decryption key – the code needed to unlock secure communications.

“If you were moderately technically sophisticated, you could look at what was going on in the waiting room,” said Bill Marczak, fellow at the Citizen Lab and postdoctoral researcher at UC Berkeley who found the vulnerability. An audio stream of the call, however, was not accessible.

Marczak said he and John Scott-Railton of the Citizen Lab notified Zoom last week. They detailed their conclusions in a report released Wednesday, after receiving an email from the company indicating that the issue has been resolved.

On Wednesday, Zoom general manager Eric Yuan mentioned in a webinar organized to address privacy issues that Zoom had resolved a problem with its waiting room function.

“We have updated our server. Our vulnerability in the waiting room has already been addressed, ”said Yuan during the webinar. “On the server side, we did not send audio and video data to the client in the waiting room. However, we have sent the session key…. We didn’t think it was safe, so we switched servers. “

Yuan’s comment was not what Marczak and Scott-Railton found, they wrote. The video stream was previously accessible, although the problem has since been resolved, said Marczak.

Zoom did not immediately respond to a request for comment on this discrepancy.