Zoom has fixed a security issue flagged with its MacOS software, removing an installer that effectively circumvented Apple’s restrictions.
The software previously used a “preinstall” technique that required no admin privileges to run, included a fake security prompt, and was described by security experts as using “the same tricks that are being used by MacOS malware”.
The issue was initially flagged by software engineer Felix Seele, and was brought to the attention of founder and chief executive Eric Yuan.
Scrutiny
Zoom said on Thursday it would freeze new feature development and shift all engineering resources on to security and safety issues, following a string of minor scandals that has put the company and its practices under scrutiny.
“We have fallen short of the community’s - and our own - privacy and security expectations,” said Mr Yuan, in a blogpost on Thursday. “For that, I am deeply sorry.”
Privacy campaigners, security researchers, and members of the public have found faults in the platform’s programming, policies, and practices. In just a couple of weeks, researchers found flaws, from a broken promise to provide “end to end encryption” for video calls to bugs that would allow a hacker to gain access to a user’s webcam and microphone.
Some stem from the fact that a tool originally designed for enabling corporate communications has been repurposed for a wide range of consumer uses, from strangers meeting up for virtual “happy hours” to children’s book groups and remote sessions of Dungeons and Dragons.
But others relate to the company's approach, modelled on the notorious Facebook maxim "move fast and break things", of finding unorthodox solutions to problems, which may not always hold up under closer inspection.
Foundation
"There's a difference between being able to pivot on top of a solid foundation," says Vincent Roffers, executive strategy director at branding strategists Superunion, "and the path where they have at some level cut corners a bit," in terms of the way they've created their product.
The most public problem facing the company has been the rise of “Zoombombings”, when trolls join public video chats to wreak havoc among their members by broadcasting pornography, hurling abuse, or undressing in front of their webcam. Zoombombings are possible because the company’s product is built for use in cases where every caller is part of the same company, or already known to each other, security experts say - an assumption that no longer fits after weeks in lockdown.
“We now have a much broader set of users who are utilising our product in a myriad of unexpected ways,” Mr Yuan said, “presenting us with challenges we did not anticipate when the platform was conceived.” Zoombombings can be prevented by changing the app’s settings, Zoom said in late March as the problem was growing.
Growth
"So many of Zoom's poor decisions were about prioritising growth over security," said the analyst Ben Thompson. "This crisis, though, more than takes care of growth: it's up to Zoom to seize the opportunity to prioritise security in a transparent and verifiable way at a time when all of their customers want them to succeed."
That’s what the company is promising now, Mr Yuan says. Over the next 90 days, it will conduct a “comprehensive review with third-party experts”, publish a transparency report, and run penetration tests to find and fix further flaws. – Additional reporting: Guardian News and Media 2020