Turning the Zoom exploit into lemonade
In early March a security researcher discovered a Zero Day security issue with the Zoom software. This particular exploit would allow bad actors to start a Zoom instance and turn on a customer’s camera. This vulnerability appears only to impact Macs. Also, when Zoom software is uninstalled, a program still resides on the computer, leaving the system vulnerable.
To get the down and dirty details, click here to read the full account. The article includes a timeline of communication with Zoom. That timeline is the real story here and offers a glimpse into the processes of Zoom during a stressful time.
Remember,Zoom’s IPO was in late April; right in the middle of this exploit timeline. The company’s first official response was to offer the researcher a “bug bounty” with the understanding he would not discuss his findings, ever. Given the impending stock sale, one could understand that reaction. The security professional declined, and Zoom went back to work fixing the issue. The company eventually fixed the problem, though it was about a week after the public disclosure. Also, Apple released their own fix with an update to the Mac OS.
The Silver Lining
There are a few things to watch, or review, in this story. The first is the caution with which Zoom progressed. According to the article, the company took almost a month to respond. Again, this was while ramping up to an IPO. However, a month to confirm a bug in the software seems to be a bit average. Once verified, Zoom sought to keep the exploit quiet. The need and desire for secrecy is understandable. Given that Zoom’s entire product offering lays on the foundation of the software, the market doesn’t want to see a reactionary response. This was a measured response and one done with purpose.
Talking Zoom Exploit
The second point to watch was Zoom CEO, Eric Yuan’s response. Yuan joined a chat room to discuss the findings with other security researchers. The Zoom CEO found it necessary and proper to address the security issue personally. The company is Yuan’s creation, his baby if you will. Yuan discussing a problem with Zoom would be like Henry Ford sitting down to talk about the Model T. Eric’s willingness proves he is here for the good and bad.
Paying for Bugs
One item that gets lost in this story is the establishment of a “bug bounty” from Zoom. Quickly, a bug bounty is a public policy by a company offering money for security issues found. Before this incident, Zoom appears to have a simple system in place. Since the release of the exploit, the company has set up a formal system to pay researchers for security issues. The official bug bounty is another sign Zoom is maturing and evolving into a mature software company. It’s a good sign for both investors and users.
The bottom line here is that no company is immune from issues in their software. There’s a reason every Tuesday those on PCs have a patch available. The trick is what the company does once a vulnerability has been exposed. Zoom handled the exploit with caution but took it seriously. One could disagree with Zoom’s original explanations of why it was there in the first place. However, I’d argue there shouldn’t be any disagreement with their response. Zoom acknowledged the security flaw and fixed it. That is exactly what we expect from software companies we trust.
Related content from the Futurum Team:
The original version of this article was first published on Futurum Research.
- What to do Now That Skype for Business Online is Going Away - August 8, 2019
- Why the Zoom Exploit Resulted in a Net Positive for the Company - July 30, 2019
- UCaaS Should Be the Next Service You Add - July 3, 2019