ICANN’s new conferencing software has a webcam security bug
ICANN can’t catch a break when it comes to remote participation security, it seems.
Having just recently made the community-wide switch away from Adobe Connect to Zoom, partly for security reasons, now Zoom has been hit by what many consider to be a critical zero-day vulnerability.
Zoom (which, irrelevantly, uses a .us domain) pushed out an emergency patch for the vulnerability yesterday, which would have allowed malicious web sites to automatically turn on visitors’ webcams without their consent.
Only users of the installable Mac client were affected.
According to security researcher Jonathan Leitschuh, who discovered the problem, Zoom’s Mac client was installing a web server on users’ machines in order to bypass an Apple security feature that requires a confirmatory click before the webcam turns on.
This meant a web site owner could trick a user into a Zoom session, with their camera turned on by default, without their knowledge or consent.
If you’re in the habit of keeping your webcam lens uncovered, that’s potentially a big privacy problem, especially if you do most of your remote coverage of ICANN meetings from the toilet.
It appears that Leitschuh, who reported the problem to Zoom three months ago, took issue with what he saw as the company’s ambivalent attitude to fixing it in a timely fashion.
When he finally blogged about it on Monday, after giving Zoom a 90-day “responsible disclosure” period to issue a patch, the problem still hadn’t been fully resolved, he wrote.
But, following media coverage, Zoom’s new patch apparently removes the covert web server completely. This removes the vulnerability but means Apple users will have to click a confirmation button before joining Zoom meetings in future.
Zoom is used now for all of ICANN’s remote participation, from sessions of its public meetings to discussions of its policy-making working groups.
I really like it. It feels a lot less clunky than Adobe, and it’s got some nifty extra features such as the ability to skip around in recordings based on an often-hilarious machine-transcription sidebar, which makes my life much easier.
One of the reasons ICANN made the switch was due to a bug found in Adobe Connect last year that could have been used to steal confidential information from closed meetings.
ICANN actually turned off Adobe Rooms for remote participants halfway through its public meeting in Puerto Rico due to the bug.
The switch to Zoom was hoped to save ICANN $100,000 a year.
ICANN waves goodbye to Adobe Connect over security, pricing
ICANN has decided to dump its longstanding web conferencing service provider, Adobe Connect, in favor of rival Zoom.
The organization reckons it could save as much as $100,000 a year, and mitigate some security fears, by making the switch.
Adobe has been the standard remote participation tool for not only ICANN’s public meetings, but also its policy-development working groups, for at least seven or eight years.
It enables video, audio, screen-sharing, public and private chat, voting and so on. ICANN says that Zoom has “nearly all of the same features”.
But some of ICANN’s more secretive bodies — including the Security and Stability Advisory Committee and Board Operations — have been using Zoom for a little over a year, after an SSAC member discovered a vulnerability in Adobe that allowed potentially sensitive information to be stolen.
A clincher appears to be Zoom’s voice over IP functionality, which ICANN says will enable it to drop Premiere Global Services Inc (PGi), its current, $500,000-a-year teleconferencing provider, which participants use if they dial in from on the road.
“Based on feedback, Zoom’s voice connectivity and overall experience seem to be superior to equivalent Adobe Connect experiences,” ICANN said.
As somebody who has lurked on more than his fair share of Adobe Connect rooms, I’ve noticed that people losing their voice connection is a very common occurrence, which can delay and break the flow of discussions, though it’s not usually clear where the blame lies.
According to a Zoom feature list (pdf) provided by ICANN, Zoom currently lacks many features on its web client, but updates are expected to bring the feature set in line with the mobile apps and PC/Mac executables by the end of the year.
ICANN expects to use Zoom exclusively by ICANN 65, in Marrakech this June. In the meantime, it will provide training to community members.
The cynic in me wants to say “expect teething troubles”, but the ICANN meetings team runs a pretty tight ship. The switch might be surprisingly smooth.
ICANN found a zero-day hole in Adobe Connect
It’s looking like ICANN may have found a zero-day vulnerability in Adobe Connect, until recently its default collaboration tool.
The organization on Friday announced the results of a “forensic investigation” into the bug, and said it has reported its findings to Adobe, which is now “working on a software fix to address the root cause of the issue”.
If Adobe didn’t know about it, it looks rather like ICANN — or at least the unnamed member of the security advisory committee who found it — has bagged itself a zero-day.
ICANN had previously said that the glitch “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”.
The review found that the only person who exploited the bug was the person who discovered and disclosed it.
AC is used not only in ICANN’s public meetings but also, I understand, in closed sessions of ICANN staff, board and committees, where secret information is most likely to be shared.
After the bug was discovered, ICANN shut off the system and started using alternatives such as WebEx, to a mixed reception.
In the absence of an immediate patch from Adobe, ICANN has been testing workarounds and said it hopes to have two working ones deployed by May 3.
This would allow the tool to come back online in time for its board workshop, GDD Summit and ICANN 62, the organization said.
Data leak security glitch screws up ICANN 61 for thousands
A security vulnerability forced ICANN to take down its Adobe Connect conferencing service halfway through its ICANN 61 meeting in Puerto Rico.
The “potentially serious security issue” could “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”, ICANN said in a pair of statements.
Taking down the service for the remainder of the meeting, which ends today, meant that potentially thousands of remote participants were left to cobble together a less streamlined replacement experience from a combination of live streams, transcription and email.
At the last ICANN meeting, over 4,000 unique participants logged into Adobe Connect. With only 1,900 or so people on-site, we’re probably looking at over 2,000 remote participants relying on AC to take part.
At this point, it’s not clear whether ICANN has discovered a previously undisclosed vulnerability in the Adobe service, or whether it simply buggered up its implementation with sloppy configuration settings.
It’s also not clear whether the glitch has been actively exploited to expose private data, though ICANN said it was first reported by a member of the Security and Stability Advisory Committee.
ICANN said in the second of two statements issued yesterday:
The issue is one that could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room. We are still investigating the root cause of the issue. We have formulated different scenarios based on authentication, encryption, and software versions, which we are testing in a controlled fashion in attempt to replicate and understand the root cause of the issue.
We are working directly with Adobe and with our cloud service provider to learn more.
Adobe Connect is a web conferencing tool that, at least when ICANN uses it for public meetings, combines live video and transcription, PowerPoint presentation sharing, and public and private chat rooms.
I also understand that there’s also a whiteboarding feature that allows participants to collaboratively work on documents in closed sessions.
Given that everything shared in the public sessions (outside of the private chat function) is by definition public, it might be reasonable to assume that ICANN’s primary concern here is how the software is used in closed sessions.
I hear ICANN uses Adobe Connect internally among its own staff and board, where one might imagine private data is sometimes shared. Other relatively secretive groups, such as the Governmental Advisory Committee and Nominating Committee, are also believed to sometimes use it behind closed doors.
While Adobe is infamous for producing buggy, insecure software, and ICANN uses a version of it hosted by a third-party cloud services provider, that doesn’t necessarily mean this wasn’t another ICANN screw-up.
In a similar incident uncovered in 2015, it was discovered that new gTLD applicants could read attachments on the confidential portions of their competitors’ applications, after ICANN accidentally had a single privacy configuration toggle set to “On” instead of “Off” in the hosted Salesforce.com software it was using to manage the program.
Ashwin Rangan, ICANN’s CIO and the guy also tasked with investigating the Salesforce issue, has now started a probe into the Adobe issue.
Recent Comments