Ex-NSA hacker drops new zero-day doom for Zoom

Zoom’s troubled year just got worse.

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principle security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”

Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.

The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.

In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”

Marriott says 5.2 million guest records stolen in another data breach

Marriott has confirmed a second data breach in three years — this time involving the personal information on 5.2 million guests.

The hotel giant said Tuesday it discovered the breach of an unspecified property system at a franchise hotel in late February. The hackers obtained the login details of two employees, a hotel statement said, which broke in weeks earlier during mid-January.

Marriott said it has “no reason” to believe payment data was stolen, but warned that names, addresses, phone numbers, loyalty member data, dates of birth and other travel information — such as linked airline loyalty numbers and room preferences — were taken in the breach.

Starwood, a subsidiary of Marriott, said in 2018 its central reservation system was hacked, exposing the personal data and guest records on 383 million guests. The data included  five million unencrypted passport numbers and eight million credit card records.

It prompted a swift response from European authorities, which issued Marriott with a fine of $123 million in the wake of the breach.

Maybe we shouldn’t use Zoom after all

Now that we’re all stuck at home thanks to the coronavirus pandemic, video calls have gone from a novelty to a necessity. Zoom, the popular videoconferencing service, seems to be doing better than most and has quickly become one of, if not the most, popular option going.

But should it be?

Zoom’s recent popularity has also shone a spotlight on the company’s security protections and privacy promises. Just today, The Intercept reported that Zoom video calls are not end-to-end encrypted, despite the company’s claims that they are.

And Motherboard reports that Zoom is leaking the email addresses of “at least a few thousand” people because personal addresses are treated as if they belong to the same company.

It’s the latest examples of the company having to spend the last year mopping up after a barrage of headlines examining the company’s practices and misleading marketing. To wit:

  • Apple was forced to step in to secure millions of Macs after a security researcher found Zoom failed to disclose that it installed a secret web server on users’ Macs, which Zoom failed to remove when the client was uninstalled. The researcher, Jonathan Leitschuh, said the web server meant any malicious website could activate Mac webcam with Zoom installed without the user’s permission. The researcher declined a bug bounty payout because Zoom wanted Leitschuh to sign a non-disclosure agreement, which would have prevented him from disclosing details of the bug.
  • Zoom was quietly sending data to Facebook about a user’s Zoom habits — even when the user does not have a Facebook account. Motherboard reported that the iOS app was notifying Facebook when they opened the app, the device model, which phone carrier they opened the app, and more. Zoom removed the code in response, but not fast enough to prevent a class action lawsuit or New York’s attorney general from launching an investigation.
  • Zoom came under fire again for its “attendee tracking” feature, which, when enabled, lets a host check if participants are clicking away from the main Zoom window during a call.
  • A security researcher found that the Zoom uses a “shady” technique to install its Mac app without user interaction. “The same tricks that are being used by macOS malware,” the researcher said.
  • On the bright side and to some users’ relief, we reported that it is in fact possible to join a Zoom video call without having to download or use the app. But Zoom’s “dark patterns” doesn’t make it easy to start a video call using just your browser.
  • Zoom has faced questions over its lack of transparency on law enforcement requests it receives. Access Now, a privacy and rights group, called on Zoom to release the number of requests it receives, just as Amazon, Google, Microsoft and many more tech giants report on a semi-annual basis.
  • Then there’s Zoombombing, where trolls take advantage of open or unprotected meetings and poor default settings to take over screen-sharing and broadcast porn or other explicit material. The FBI this week warned users to adjust their settings to avoid trolls hijacking video calls.
  • And Zoom tightened its privacy policy this week after it was criticized for allowing Zoom to collect information about users’ meetings — like videos, transcripts and shared notes — for advertising.

There are many more privacy-focused alternatives to Zoom. Three are several options, but they all have their pitfalls. FaceTime and WhatsApp are end-to-end encrypted, but FaceTime works only on Apple devices and WhatsApp is limited to just four video callers at a time. A lesser known video calling platform, Jitsi, is not end-to-end encrypted but it’s open source — so you can look at the code to make sure there are no backdoors — and it works across all devices and browsers. You can run Jitsi on a server you control for greater privacy.

In fairness, Zoom is not inherently bad and there are many reasons why Zoom is so popular. It’s easy to use, reliable and for the vast majority it’s incredibly convenient.

But Zoom’s misleading claims give users a false sense of security and privacy. Whether it’s hosting a virtual happy hour or a yoga class, or using Zoom for therapy or government cabinet meetings, everyone deserves privacy.

Now more than ever Zoom has a responsibility to its users. For now, Zoom at your own risk.

Security lapse exposed Republican voter firm’s internal app code

A voter contact and canvassing company, used exclusively by Republican political campaigns, mistakenly left an unprotected copy of its app’s code on its website for anyone to find.

The company, Campaign Sidekick, helps Republican campaigns canvass their districts using its iOS and Android apps, which pull in names and addresses from voter registration rolls. Campaign Sidekick says it has helped campaigns in Arizona, Montana, and Ohio — and contributed to the Brian Kemp campaign, which saw him narrowly win against Democratic rival Stacey Abrams in the Georgia gubernatorial campaign in 2018.

For the past two decades, political campaigns have ramped up their use of data to identify swing voters. This growing political data business has opened up a whole economy of startups and tech companies using data to help campaigns better understand their electorate. But that has led to voter records spilling out of unprotected servers and other privacy-related controversies — like the case of Cambridge Analytica obtaining private data from social media sites.

Chris Vickery, director of cyber risk research at security firm UpGuard, said he found the cache of Campaign Sidekick’s code by chance.

In his review of the code, Vickery found several instances of credentials and other app-related secrets, he said in a blog post on Monday, which he shared exclusively with TechCrunch. These secrets, such as keys and tokens, can typically be used to gain access to systems or data without a username or password. But Vickery did not test the password as doing so would be unlawful. Vickery also found a sampling of personally identifiable information, he said, amounting to dozens of spreadsheets packed with voter names and addresses.

Fearing the exposed credentials could be abused if accessed by a malicious actor, Vickery informed the company of the issue in mid-February. Campaign Sidekick quickly pulled the exposed cache of code offline.

One of the Campaign Sidekick mockups, using dummy data, collates a voter’s data in one place. (Image: supplied)

One of the screenshots provided by Vickery showed a mockup of a voter profile compiled by the app, containing basic information about the voter and their past voting and donor history, which can be obtained from public and voter records. The mockup also lists the voter’s “friends.”

Vickery told TechCrunch he found “clear evidence” that the app’s code was designed to pull in data from its now-defunct Facebook app, which allowed users to sign-in and pull their list of friends — a feature that was supported by Facebook at the time until limits were put on third-party developers’ access to friends’ data.

“There is clear evidence that Campaign Sidekick and related entities had and have used access to Facebook user data and APIs to query that data,” Vickery said.

Drew Ryun, founder of Campaign Sidekick, told TechCrunch that its Facebook project was from eight years prior, that Facebook had since deprecated access to developers, and that the screenshot was a “digital artifact of a mockup.” (TechCrunch confirmed that the data in the mockup did not match public records.)

Ryun said after he learned of the exposed data the company “immediately changed sensitive credentials for our current systems,” but that the credentials in the exposed code could have been used to access its databases storing user and voter data.

Saudi spies tracked phones using flaws the FCC failed to fix for years

Lawmakers and security experts have long warned of security flaws in the underbelly of the world’s cell networks. Now a whistleblower says the Saudi government is exploiting those flaws to track its citizens across the U.S. as part of a “systematic” surveillance campaign.

It’s the latest tactic by the Saudi kingdom to spy on its citizens overseas. The kingdom has faced accusations of using powerful mobile spyware to hack into the phones of dissidents and activists to monitor their activities, including those close to Jamal Khashoggi, the Washington Post columnist who was murdered by agents of the Saudi regime. The kingdom also allegedly planted spies at Twitter to surveil critics of the regime.

The Guardian obtained a cache of data amounting to millions of locations on Saudi citizens over a four-month period beginning in November. The report says the location tracking requests were made by Saudi’s three largest cell carriers — believed to be at the behest of the Saudi government — by exploiting weaknesses in SS7.

SS7, or Signaling System 7, is a set of protocols — akin to a private network used by carriers around the world — to route and direct calls and messages between networks. It’s the reason why a T-Mobile customer can call an AT&T phone, or text a friend on Verizon — even when they’re in another country. But experts say that weaknesses in the system have allowed attackers with access to the carriers — almost always governments or the carriers themselves — to listen in to calls and read text messages. SS7 also allows carriers to track the location of devices to just a few hundred feet in densely populated cities by making a “provide subscriber information” (PSI) request. These PSI requests are typically to ensure that the cell user is being billed correctly, such as if they are roaming on a carrier in another country. Requests made in bulk and excess can indicate location tracking surveillance.

But despite years of warnings and numerous reports of attacks exploiting the system, the largest U.S. carriers have done little to ensure that foreign spies cannot abuse their networks for surveillance.

One Democratic lawmaker puts the blame squarely in the Federal Communication Commission’s court for failing to compel cell carriers to act.

“I’ve been raising the alarm about security flaws in U.S. phone networks for years, but FCC chairman Ajit Pai has made it clear he doesn’t want to regulate the carriers or force them to secure their networks from foreign government hackers,” said Sen. Ron Wyden, a member of the Senate Intelligence Committee, in a statement on Sunday. “Because of his inaction, if this report is true, an authoritarian government may be reaching into American wireless networks to track people inside our country,” he said.

A spokesperson for the FCC, the agency responsible for regulating the cell networks, did not respond to a request for comment.

A long history of feet-dragging

Wyden is not the only lawmaker to express concern. In 2016, Rep. Ted Lieu, then a freshman congressman, gave a security researcher permission to hack his phone by exploiting weaknesses in SS7 for an episode of CBS’ 60 Minutes.

Lieu accused the FCC of being “guilty of remaining silent on wireless network security issues.”

The same vulnerabilities were used a year later in 2017 to drain the bank accounts of unsuspecting victims by intercepting and stealing the two-factor authentication codes necessary to log in sent by text message. The breach was one of the reasons why the U.S. government’s standards and technology units, NIST, recommended moving away from using text messages to send two-factor codes.

Months later the FCC issued a public notice, prompted by a raft of media attention, “encouraging” but not mandating that carriers make efforts to bolster their individual SS7 systems. The notice asked carriers to monitor their networks and install firewalls to prevent malicious requests abuse.

It wasn’t enough. Wyden’s office reported in 2018 that one of the major cell carriers — which was not named — reported an SS7 breach involving customer data. Verizon and T-Mobile said in letters to Wyden’s office that they were implementing firewalls that would filter malicious SS7 requests. AT&T said in its letter that it was in the process of updating its firewalls, but also warned that “unstable and unfriendly nations” with access to a cell carrier’s SS7 systems could abuse the system. Only Sprint said at the time that it was not the source of the SS7 breach, according to a spokesperson’s email to TechCrunch.

T-Mobile did not respond to a request for comment. Verizon (which owns TechCrunch) also did not comment. AT&T said at the time it “continually works with industry associations and government agencies” to address SS7 issues.

Fixing SS7

Fixing the problems with SS7 is not an overnight job. But without a regulator pushing for change, the carriers aren’t inclined to budge.

Experts say those same firewalls put in place by the cell carriers can filter potentially malicious traffic and prevent some abuse. But an FCC working group tasked with understanding the risks posed by SS7 flaws in 2016 acknowledged that the vast majority of SS7 traffic is legitimate. “Carriers need to be measured as they implement solutions in order to avoid collateral network impacts,” the report says.

In other words, it’s not a feasible solution if it blocks real carrier requests.

Cell carriers have been less than forthcoming with their plans to fix their SS7 implementations. Only AT&T provided comment, telling The Guardian that it had “security controls to block location-tracking messages from roaming partners.” To what extent remains unclear, or if those measures will even help. Few experts have expressed faith in newer systems like Diameter, a similar routing protocol for 4G and 5G, given there have already been a raft of vulnerabilities found in the newer system.

End-to-end encrypted apps, like Signal and WhatsApp, have made it harder for spies to snoop on calls and messages. But it’s not a panacea. As long as SS7 remains a fixture underpinning the very core of every cell network, tracking location data will remain fair game.

Social Bluebook was hacked, exposing 217,000 influencers’ accounts

A social media platform used to match advertisers with thousands of influencers has been hacked.

Social Bluebook, a Los Angeles-based company, allows advertisers to pay social media “influencers” for posts that promote their products and services. The company claims it has some 300,000 influencers on its books.

But in October 2019, the company’s entire backend database was stolen in a data breach.

TechCrunch obtained the database, which contains some 217,000 user accounts — including influencer names, email addresses, and passwords hashed, which had been scrambled using the strong SHA-2 hashing algorithm.

It’s not known how the database was exfiltrated from the company’s systems or who was behind the breach.

We contacted several users who when presented with their information confirmed it as accurate. We also provided a portion of the data to Social Bluebook co-founder Sam Michie for verification.

“We have just now become aware of this data breach that occurred in October 2019,” he told TechCrunch in an email Thursday.

He said affected users will be informed of the breach by email. The company also informed the California attorney general’s office of the breach, per state law.

Social media influencers are a constant target for hackers, who often try to hijack accounts with popular handles or high follower counts. Some influencers have relied on white-hat hackers to get their hijacked accounts back.

Last year, an Indian social media firm left a database of Instagram influencers online, which included phone numbers and email addresses scraped from their profiles.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. 

A Norwegian school quit using video calls after a naked man ‘guessed’ the meeting link

A school in Norway has stopped using popular video conferencing service Whereby after a naked man apparently “guessed” the link to a video lesson.

According to Norwegian state broadcaster NRK, the man exposed himself in front of several young children over the video call. The theory, according to the report, is that the man guessed the meeting ID and joined the video call.

One expert quoted in the story said some are “looking” for links.

Last year security researchers told TechCrunch that malicious users could access and listen in to Zoom and Webex video meetings by cycling through different permutations of meeting IDs in bulk. The researchers said the flaw worked because many meetings were not protected by a passcode.

School and workplaces across the world are embracing remote teaching as the number of those infected by the coronavirus strain, known as COVID-19, continues to climb. There are some 523,000 confirmed cases of COVID-19 across the world as of Thursday, according to data provided by Johns Hopkins University. Norway currently has over 3,300 confirmed cases.

More than 80% of the world’s population is said to be on some kind of lockdown to help limit the spread of the coronavirus in an effort to prevent the overrunning of health systems.

The ongoing global lockdown has forced companies to embrace their staff working from home, pushing Zoom to become the go-to video conferencing platform for not only remote workers but also for recreation, like book clubs and happy hours.

An earlier version of this article incorrectly identified the video service as Zoom. The video conferencing service used by the school was Whereby. We regret the error.

Cyber insurer Chubb had data stolen in Maze ransomware attack

Chubb, a major cybersecurity insurance provider for businesses hit by data breaches, has itself become a target of a data breach.

The insurance giant told TechCrunch it was investigating a “security incident” involving the unauthorized access to data belonging to an unnamed third-party. Chubb spokesperson Jeffrey Zack said the company had “no evidence” the incident affected Chubb’s own network and that its network “remains fully operational.”

But the spokesperson declined to comment further or answer any of our questions, including if its customers were affected.

Brett Callow, a threat analyst at security firm Emsisoft, first alerted TechCrunch to the breach on Thursday. According to Callow, the security incident was a data-stealing ransomware attack launched by the Maze ransomware group. Maze not only spreads across a network, infecting and encrypting every computer in its path, it also exfiltrates the data to the attackers’ servers where it is held for ransom. If a ransom isn’t paid, the attackers publish the files online.

In December, the FBI privately warned businesses of an increase in Maze-related ransomware incidents.

Callow said the attackers behind the incident posted a listing on their website claiming to have data stolen from Chubb in earlier in March. The listing included the names and email addresses of three senior executives, including CEO Evan Greenberg.

At the time of writing, the attackers have not yet published any of the stolen files.

Chubb is one of the largest cybersecurity providers in the United States, offering incident response services and covering companies from losses caused by data breaches. Target last year filed a $74 million lawsuit against Chubb after the retailer claimed the insurance carrier failed to properly compensate it for the costs incurred from its 2013 data breach involving the theft of 110 million customers’ data.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.

Better know a CSO: Indiana University Health’s Mitch Parker

Mitch Parker has one of Indiana’s most critical jobs.

As chief information security officer for Indiana University Health, Parker oversees cybersecurity for more than 30,000 employees at 18 hospitals across the state, along with countless numbers of computers, workstations and medical devices, making it the largest health system in Indiana — and the United States.

Indiana University Health is tasked with helping patients recover and maintain their health, but Parker’s job is keeping their data safe. In our discussion, he discussed the state of medical devices, his security team’s priorities and why — when an organization is so big — communication is absolutely key.

This interview has been edited for length and clarity.

We’re talking to chief security officers to learn more about their work, promote best practices that don’t hamper growth and share insights from some of the industry’s most experienced security professionals.

TechCrunch: You’ve been at IU Health for a little over three years. Multiple hospitals, thousands of staff, a range of threats and no two days are the same. What’s the secret sauce?

Mitch Parker: The organization is significantly more receptive to working together towards cybersecurity solutions than when I first got here. A lot of it I’ve found comes down to just taking the time to understand your customers’ needs. I align everything the security team does with our core mission and values and with purpose, excellence, team and compassion. We don’t talk about cybersecurity first. We talk about, how do we improve healthcare, and how do we provide a better patient experience? And we ask, how do we assist in fulfilling our customers’ needs?

So, in a few words, what’s your approach to cybersecurity across the various teams at IU Health?

Cybersecurity is constantly evolving. Healthcare threats change, too. Three years ago we were talking about Ebola [virus] and now we’re talking about new disease threats. Just as our organization has to adapt, cybersecurity has to adapt in the same way. When I first got here, the organization understood that they had a need but didn’t feel they had a valued business partner to work with. That partnership is more important than the threat of the week.

Justice Dept. files its first coronavirus takedown: a bogus vaccine website

U.S. federal prosecutors have filed and won a temporary restraining order against a website offering a fraudulent coronavirus vaccine, which the Justice Department said is its first enforcement action related to the pandemic.

In a statement, the Justice Dept. said the action was taken against a website, said to be engaging in a wire fraud scheme, seeking “to profit from the confusion and widespread fear” surrounding COVID-19.

The website, seen by TechCrunch, claims the World Health Organization is “giving away vaccine kits” to unsuspecting victims who pay a small fee for shipping. The website asks for a victim’s credit card information.

“In fact, there are currently no legitimate COVID-19 vaccines and the WHO is not distributing any such vaccine,” the Justice Department’s statement said.

A federal judge issued the temporary restraining order against the website’s owners, whose names are not known. The order also demanded that Namecheap, the site’s domain host, pull the site offline.

Although the Justice Dept. names the website, we are not. The website remains accessible at the time of writing.

A spokesperson for Namecheap did not immediately respond to a request for comment.

Assistant attorney general Jody Hunt said: “The Department of Justice will not tolerate criminal exploitation of this national emergency for personal gain. We will use every resource at the government’s disposal to act quickly to shut down these most despicable of scammers, whether they are defrauding consumers, committing identity theft, or delivering malware.”

As it stands, there are more than 300,000 confirmed cases around the world. But as government authorities continue to lack testing equipment, the global number of infections is said to be far higher.

As of Friday, wome 80 million Americans are under lockdown, including in California, New York, and Illinois, in an effort to limit the spread of the respiratory illness.

The spread of the virus also prompted the U.S. and Canada to mutually agree to close the northern border, and the U.S. to close its southern border with Mexico to all but essential travel.

On Thursday, the U.S. ordered an unprecedented “do not travel” warning to all Americans.