Dropbox privately paid top hackers to find bugs in software by the videoconferencing company Zoom, then pressed it to fix them.

Credit…Olivier Douliery/Agence France-Presse — Getty Images

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees.

The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom’s videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated.

Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended.

“I don’t think a lot of these things were predictable,” said Alex Stamos, a former chief security officer at Facebook who recently signed on as a security adviser to Zoom. “It’s like everyone decided to drive their cars on water.”

The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk.

Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work.

As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them.

After Dropbox presented the hackers’ findings from the Singapore event to Zoom Video Communications, the California company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability only after another hacker publicized a different security flaw with the same root cause.

Zoom’s sudden popularity — nearly 600,000 people downloaded the app on a single day last month — has opened it to increased scrutiny by researchers and journalists and forced the company to grapple with a rash of security incidents.

Three weeks ago, the F.B.I. warned that it had received multiple reports of trolls hijacking public school classes on Zoom to display pornography and make threats — malicious attacks known as “Zoombombing.”

Last week, Vice’s Motherboard blog reported that security bug brokers were selling access — for $500,000 — to critical Zoom security flaws that could allow remote access into users’ computers. Separately, hackers put up more than half a million Zoom users’ passwords and user names for sale on the Dark Web.

In response, Eric S. Yuan, Zoom’s chief executive, said this month that the company would devote all of its engineering resources for the next 90 days to shoring up security and privacy. Last week, the company announced a revamped reward program for hackers who find security flaws in its code. Mr. Stamos said Zoom was also working on design changes to reduce the potential risks of security flaws and abuses like Zoombombing.

In a statement, Zoom said that it appreciated “the researchers and industry partners who have helped — and continue to help — us identify issues as we continuously seek to strengthen our platform.” It added that the company was “proactively working to better identify, address, and fix issues.”

In a statement, Dropbox said it was “grateful to Zoom for being the first to participate” in its vendor bug bounty program. It added that Dropbox itself used the videoconferencing service for internal meetings and that Zoom had become “a critical tool in keeping our teams connected.”

Before Zoom’s initial public offering in 2019, Dropbox made a $5 million investment in the company. Separately, Bryan Schreier, a Dropbox director, is a partner at Sequoia Capital, which made a $100 million investment in Zoom before the initial offering.

Even critics acknowledge that Zoom remains the most user-friendly videoconferencing service on the market and has become a crucial communications tool during the pandemic. Security researchers also praised Zoom for improving its response times — quickly patching recent bugs and removing features that presented privacy risks to consumers.

Zoom is hardly the first tech company whose sudden surge in popularity exposed its problems. Microsoft, Twitter, Google, Facebook and Uber have all settled federal charges related to consumer security or privacy.

What is different about Zoom is the unusual role that another tech company — Dropbox — played in pushing the videoconferencing service to address its security weaknesses. Details on Dropbox’s role have not been publicly reported before.

Many companies, including Zoom, have so-called “bug bounty programs” in which they pay hackers to turn over flaws in the company’s own software code. But Dropbox, which has integrated its file-sharing services with Zoom, did something novel.

Starting in 2018, Dropbox privately offered to pay top hackers it regularly worked with to find problems with Zoom’s software. It even had its own security engineers confirm the bugs and look for related problems before passing them on to Zoom, according to the former Dropbox engineers.

Hackers have reported several dozen problems with Zoom to Dropbox, the former employees said. These included moderate problems, like the ability for attackers to take over users’ actions on the Zoom web app, and more serious security flaws like the ability for attackers to run malicious code on computers using Zoom software. Dropbox also put in its own controls to ensure that its integration with Zoom did not present risks to Dropbox users.

Zoom’s reputation for security weaknesses began to spread within Dropbox, the former engineers said.

As part of an annual companywide hacking competition in 2018, Dropbox engineers created a knockoff of Zoom — they called it “Vroom” — and challenged employees to hack it. The Dropbox employees successfully obtained Vroom meeting codes, which would have allowed them to crash hypothetical Vroom meetings. The idea of the exercise, former Dropbox employees said, was to teach Dropbox engineers to avoid making some of the security mistakes that Zoom had made.

Some former employees said Dropbox also prompted Zoom to introduce additional security measures, including a virtual waiting room feature that now allows meeting organizers to vet each participant before letting them into a videoconference.

“I have no doubt that Zoom was better able to address the current ‘zoombombing’ craze thanks to Dropbox’s early” involvement, Chris Evans, a former head of security at Dropbox, wrote in an email to a reporter.

Dropbox employees weren’t the only ones finding problems. In late 2018, David Wells, a senior research engineer at Tenable, a security vulnerability assessment company, uncovered a serious flaw in Zoom that would have allowed an attacker to remotely disrupt a meeting — without even being on the call. Among other things, Mr. Wells reported that an attacker could take over a Zoom user’s screen controls, enter keystrokes and covertly install malware on their computer.

Mr. Wells also found the vulnerability allowed him to post messages in Zoom chats under other people’s names and kick people off meetings. Mr. Wells, who reported his findings directly to Zoom, said Zoom quickly patched the flaws.

In early 2019, Dropbox sponsored HackerOne Singapore, the live hacking competition. To put pressure on Zoom to take security more seriously, former Dropbox engineers said, Dropbox included the videoconferencing service among companies for which it offered bug bounties at the event.

Even before the event began, one hacker reported a major vulnerability to Dropbox that could have allowed attackers to pose as Zoom over Wi-Fi and secretly observe users’ video calls, the former Dropbox engineers said.

Soon after, the two Australian hackers, an engineer and executive at Assetnote, a security company, uncovered the flaw that would have allowed an attacker to covertly take complete control of certain computers running Apple’s macOS, according to a blog post published by the hackers.

The discovery was particularly jarring because attackers could have used the Zoom vulnerability to access the deepest levels of a user’s computer.

But Zoom did not quickly address the flaw. Instead, the company waited more than three months until a third researcher independently uncovered and publicized a separate, less serious issue, with the same underlying cause.

Mr. Yuan, Zoom’s chief executive, subsequently wrote a blog post apologizing for the delay.

“We misjudged the situation and did not respond quickly enough — and that’s on us,” Mr. Yuan wrote in the post from last July. He added: “We take user security incredibly seriously.”

  • Updated April 11, 2020

    • When will this end?

      This is a difficult question, because a lot depends on how well the virus is contained. A better question might be: “How will we know when to reopen the country?” In an American Enterprise Institute report, Scott Gottlieb, Caitlin Rivers, Mark B. McClellan, Lauren Silvis and Crystal Watson staked out four goal posts for recovery: Hospitals in the state must be able to safely treat all patients requiring hospitalization, without resorting to crisis standards of care; the state needs to be able to at least test everyone who has symptoms; the state is able to conduct monitoring of confirmed cases and contacts; and there must be a sustained reduction in cases for at least 14 days.

    • What should I do if I feel sick?

      If you’ve been exposed to the coronavirus or think you have, and have a fever or symptoms like a cough or difficulty breathing, call a doctor. They should give you advice on whether you should be tested, how to get tested, and how to seek medical treatment without potentially infecting or exposing others.

    • Should I wear a mask?

      The C.D.C. has recommended that all Americans wear cloth masks if they go out in public. This is a shift in federal guidance reflecting new concerns that the coronavirus is being spread by infected people who have no symptoms. Until now, the C.D.C., like the W.H.O., has advised that ordinary people don’t need to wear masks unless they are sick and coughing. Part of the reason was to preserve medical-grade masks for health care workers who desperately need them at a time when they are in continuously short supply. Masks don’t replace hand washing and social distancing.

    • How does coronavirus spread?

      It seems to spread very easily from person to person, especially in homes, hospitals and other confined spaces. The pathogen can be carried on tiny respiratory droplets that fall as they are coughed or sneezed out. It may also be transmitted when we touch a contaminated surface and then touch our face.

    • Is there a vaccine yet?

      No. Clinical trials are underway in the United States, China and Europe. But American officials and pharmaceutical executives have said that a vaccine remains at least 12 to 18 months away.

    • What makes this outbreak so different?

      Unlike the flu, there is no known treatment or vaccine, and little is known about this particular virus so far. It seems to be more lethal than the flu, but the numbers are still uncertain. And it hits the elderly and those with underlying conditions — not just those with respiratory diseases — particularly hard.

    • What if somebody in my family gets sick?

      If the family member doesn’t need hospitalization and can be cared for at home, you should help him or her with basic needs and monitor the symptoms, while also keeping as much distance as possible, according to guidelines issued by the C.D.C. If there’s space, the sick family member should stay in a separate room and use a separate bathroom. If masks are available, both the sick person and the caregiver should wear them when the caregiver enters the room. Make sure not to share any dishes or other household items and to regularly clean surfaces like counters, doorknobs, toilets and tables. Don’t forget to wash your hands frequently.

    • Should I stock up on groceries?

      Plan two weeks of meals if possible. But people should not hoard food or supplies. Despite the empty shelves, the supply chain remains strong. And remember to wipe the handle of the grocery cart with a disinfecting wipe and wash your hands as soon as you get home.

    • Should I pull my money from the markets?

      That’s not a good idea. Even if you’re retired, having a balanced portfolio of stocks and bonds so that your money keeps up with inflation, or even grows, makes sense. But retirees may want to think about having enough cash set aside for a year’s worth of living expenses and big payments needed over the next five years.


Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here