Incident: Zoom Vulnerability Exposes Password-Protected Videos to Unauthorized Access.

Published Date: 2020-04-16

Postmortem Analysis
Timeline 1. The software failure incident happened in April 2020. [Article 98593]
System 1. Zoom software 2. Zoom's privacy protection feature 3. Zoom's Captcha challenge implementation 4. Zoom's password protection setting 5. Zoom's cloud recording security measures 6. Zoom's default upload option 7. Zoom's permanent link security 8. Zoom's video deletion process 9. Zoom's Amazon Web Services storage bucket security 10. Zoom's unique URL access control 11. Zoom's video viewing session expiration control
Responsible Organization 1. Zoom [98593]
Impacted Organization 1. Users who uploaded videos to Zoom's cloud storage were impacted by the software failure incident [98593].
Software Causes 1. Lack of default password protection for uploaded Zoom videos, making them vulnerable to unauthorized access and download [98593]. 2. Vulnerability in Zoom's privacy protection system that allowed for the cracking of manually set passwords on videos [98593]. 3. Videos that were deleted from Zoom accounts remained accessible for several hours before disappearing, indicating a flaw in the deletion process [98593].
Non-software Causes 1. Lack of default password protection for uploaded videos on Zoom [98593] 2. Vulnerability in Zoom's privacy protection system allowing videos to be accessed via share links [98593] 3. Inadequate response from Zoom to address security concerns promptly [98593] 4. Failure to implement strong password rules and default password protection settings [98593]
Impacts 1. The vulnerability discovered in Zoom's software allowed individuals to search for and access stored Zoom videos using share links, even if the videos were deleted, leading to potential privacy breaches [98593]. 2. The core vulnerability in Zoom's software remained unfixed even after an update was rolled out, allowing hackers to manually follow share links and access videos once a Captcha challenge was defeated [98593]. 3. The incident raised concerns about the security and privacy risks associated with Zoom's rapid growth in user base during the coronavirus pandemic, with issues ranging from attention-tracking features to unauthorized attendees disrupting meetings (Zoombombing) [98593]. 4. Government entities globally, including the US Senate and the German Ministry of Foreign Affairs, restricted or cautioned against the use of Zoom for state business due to security concerns [98593]. 5. The incident highlighted the risk of storing all Record to Cloud videos in a single unprotected bucket on Amazon cloud storage, potentially exposing corporate accounts to privacy breaches [98593].
Preventions 1. Implementing robust security measures during the software development process, such as thorough security testing and vulnerability assessments, could have prevented the vulnerability that allowed unauthorized access to Zoom videos [98593]. 2. Enforcing strong password protection settings by default for all cloud recordings could have mitigated the risk of unauthorized access to videos even after deletion [98593]. 3. Regularly updating and patching the software to address known vulnerabilities and security issues could have prevented the exploitation of the privacy vulnerability in Zoom [98593]. 4. Providing timely responses to security researchers and promptly addressing reported vulnerabilities could have helped prevent the exploitation of the security flaw in Zoom [98593].
Fixes 1. Implementing rate limit protections through reCaptcha to prevent brute-force attempts on password-protected recording pages [98593]. 2. Implementing complex password rules for all future cloud recordings and turning on password protection setting by default [98593]. 3. Adding a Captcha challenge when someone clicks on a share link to enhance security [98593]. 4. Encouraging users to password-protect their videos with strong passwords and possibly delete them afterwards to improve privacy and security [98593].
References 1. Phil Guimond, security researcher who discovered the vulnerability [98593] 2. Zoom spokespersons who provided statements to CNET [98593]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to privacy and security vulnerabilities in Zoom's software has happened again within the same organization. The incident involved a vulnerability that allowed unauthorized access to stored Zoom videos through share links, even after they were deleted from the user's account. This vulnerability was exploited by a security researcher, Phil Guimond, who created a tool called Zoombo to crack passwords on videos that were manually protected. Zoom rolled out updates to address the issue, such as adding a Captcha challenge to share links and implementing complex password rules for future cloud recordings [98593]. (b) The software failure incident related to privacy and security vulnerabilities in Zoom's software has also happened at multiple organizations. The incident led to concerns about the exposure of user data and privacy risks, including the practice of "Zoombombing" and the sharing of user data with Facebook. As a result, a growing list of government entities both domestically and globally have restricted the use of Zoom for state business. For example, the German Ministry of Foreign Affairs cautioned staff against using the software, and Singapore banned teachers from using it for remote teaching. Additionally, the US Senate advised members to avoid using Zoom for remote work during the coronavirus lockdown [98593].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the vulnerability discovered by security researcher Phil Guimond in Zoom's system. Guimond found a vulnerability that allowed someone to search for stored Zoom videos using share links that contain part of a URL, such as a company or organization name. This design flaw in Zoom's system allowed videos to be downloaded and viewed even if they were manually password-protected by users. Guimond highlighted that Zoom had not considered security at all when developing their software, leading to high vulnerabilities in the industry for a mainstream product [98593]. (b) The software failure incident related to the operation phase can be observed in the way Zoom's system operated in terms of privacy protection. Despite the discovery of the vulnerability, Zoom initially did not have adequate security measures in place to prevent unauthorized access to videos. Even after rolling out an update that added a Captcha challenge to share links, the core vulnerability remained unfixed, allowing hackers to still manually follow share links once the Captcha was defeated. This operational failure left users' videos vulnerable to potential breaches [98593].
Boundary (Internal/External) within_system, outside_system (a) The software failure incident related to the Zoom vulnerability discovered by Phil Guimond can be categorized as within_system. The vulnerability allowed for the search and download of stored Zoom videos using share links, bypassing password protection and privacy settings within the Zoom software itself. Guimond highlighted that Zoom had not considered security when developing their software, indicating that the vulnerability was a result of internal system weaknesses [98593]. (b) Additionally, the incident also involved external factors contributing to the failure. For example, the vulnerability was discovered by a security researcher, Phil Guimond, who identified the flaw in Zoom's security measures. The incident was also exacerbated by the rapid growth in Zoom's user base due to the coronavirus pandemic, which increased the exposure of users to privacy risks and security vulnerabilities [98593].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article was primarily due to non-human actions. The vulnerability that allowed someone to search for stored Zoom videos using share links and download them, as well as the limitation of Zoom's privacy protection that allowed cracking passwords on videos, were contributing factors introduced without human participation [98593]. Additionally, the issue of deleted Zoom videos remaining accessible for a few hours after deletion was also a non-human action contributing to the software failure incident [98593]. (b) However, human actions also played a role in the software failure incident. For example, the security researcher, Phil Guimond, discovered the vulnerability and created a tool, Zoombo, to exploit the limitation of Zoom's privacy protection [98593]. Additionally, users who did not manually password-protect their videos or used weak passwords contributed to the vulnerability [98593].
Dimension (Hardware/Software) software (a) The software failure incident did not occur due to hardware issues. The vulnerability discovered by Phil Guimond in Zoom's software allowed for unauthorized access to stored Zoom videos through share links, bypassing password protection and allowing for the viewing and downloading of videos [98593]. (b) The software failure incident occurred due to contributing factors that originate in software. Specifically, a vulnerability in Zoom's software allowed for the search and access of stored Zoom videos using share links, even videos that were supposedly deleted. This vulnerability was exploited by a security researcher, Phil Guimond, who created a tool called Zoombo to crack passwords on videos that were manually protected. Zoom's software lacked adequate security measures, leading to privacy risks and unauthorized access to videos [98593].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the articles is malicious in nature. The vulnerability discovered by Phil Guimond allowed for unauthorized access to stored Zoom videos through share links, even if they were password-protected. Guimond created a tool called Zoombo to exploit this vulnerability, highlighting the security flaws in Zoom's software. Additionally, the incident involved potential privacy risks, such as unauthorized access to corporate videos and the ability to target individual users for privacy invasions [98593].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the Zoom vulnerability discovered by Phil Guimond highlights poor decisions made by Zoom in terms of security considerations. Guimond criticized Zoom for not considering security when developing their software, stating that their offerings have a high amount of vulnerabilities in the industry [98593]. Additionally, Zoom's response to the vulnerability by adding a Captcha challenge and implementing complex password rules for future cloud recordings indicates that the company had not initially prioritized security features in their software [98593].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the article can be attributed to development incompetence. The security researcher, Phil Guimond, discovered a vulnerability in Zoom that allowed unauthorized access to stored videos through share links, even if they were password-protected. Guimond criticized Zoom for not considering security during the development of their software, stating that their offerings have a high amount of vulnerabilities compared to other mainstream products [98593]. (b) Additionally, the incident can also be categorized as accidental. The vulnerability that allowed unauthorized access to Zoom videos through share links was not intentional but rather a flaw in the software that was exploited by hackers. Zoom rolled out updates to address the vulnerability after it was brought to their attention by CNET, indicating that the issue was not deliberately introduced but was an unintended consequence of the software's design [98593].
Duration permanent, temporary (a) The software failure incident described in the articles is more of a permanent failure. The vulnerability discovered by Phil Guimond allowed for the search and download of stored Zoom videos using share links, even after they were deleted from the Zoom account. This indicates a fundamental flaw in the software's design and security measures, making it a persistent issue [98593]. Additionally, the article mentions that even after the update rolled out by Zoom, existing shared recordings were still vulnerable to exploitation, highlighting the lasting impact of the failure [98593]. (b) The software failure incident can also be considered temporary to some extent. After the vulnerability was discovered, Zoom rolled out updates to address the issue, such as adding a Captcha challenge to share links and implementing rate limit protections. These measures temporarily mitigated the vulnerability, although the core issue remained unfixed [98593]. This temporary aspect is evident in the fact that the software updates provided some level of protection against the exploit, albeit not a permanent solution.
Behaviour value, other (a) crash: The software failure incident described in the article does not involve a crash where the system loses state and does not perform any of its intended functions. The incident revolves around a vulnerability in Zoom's security that allowed unauthorized access to stored videos [98593]. (b) omission: The incident does not involve a failure due to the system omitting to perform its intended functions at an instance(s). Instead, it is related to a security vulnerability that allowed unauthorized access to stored Zoom videos [98593]. (c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early. It is primarily about a security vulnerability that exposed stored Zoom videos to unauthorized access [98593]. (d) value: The software failure incident is related to the system performing its intended functions incorrectly, specifically in terms of failing to adequately protect stored videos, allowing unauthorized access even after deletion, and having limitations in password protection [98593]. (e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. It is primarily about a security vulnerability that allowed unauthorized access to stored Zoom videos [98593]. (f) other: The behavior of the software failure incident can be categorized as a security vulnerability leading to unauthorized access to stored videos, inadequate password protection, and videos remaining accessible even after deletion for a certain period of time [98593].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident involving Zoom's vulnerability allowed unauthorized access to stored Zoom videos, potentially compromising the privacy of the content [98593]. - The vulnerability exposed a limitation in Zoom's privacy protection, allowing hackers to download and view videos that were thought to be password-protected or deleted [98593]. - Users' videos that were stored in the cloud were at risk of being accessed without authorization, posing a threat to corporate privacy and potentially compromising sensitive information [98593]. - The incident highlighted the risk of unauthorized access to videos stored in a single bucket on Amazon cloud storage, emphasizing the importance of protecting data and ensuring secure access [98593].
Domain information (a) The software failure incident reported in the articles is related to the information industry. The incident involved a vulnerability in Zoom's software that allowed unauthorized access to stored Zoom videos, compromising the security and privacy of users' information [98593].

Sources

Back to List