SUMMARY
One of the vulnerability allowed an unauthorised remote attacker to join a Zoom meeting without appearing to other participants
Another vulnerability allowed the remote hacker to obtain the audio and video feed of a meeting they were not authorised to join
CERT-In has advised users to update to the latest version of the video conferencing software to avoid any issues
The Indian Computer Emergency Response Team (CERT-In) has identified a host of vulnerabilities in video conferencing platform Zoom.
According to the cybersecurity watchdog, one of the vulnerabilities could allow an unauthorised remote attacker to join a Zoom meeting without appearing to other participants in the video chat.
“These vulnerabilities exist due to improper access control implementation. A remote attacker could exploit these vulnerabilities to join a meeting they are authorised to join without appearing to the other participants or obtain the audio and video feed of a meeting they were not authorised to join and cause other meeting disruptions,” said a CERT-In’s advisory.
The advisory further added that the identified issues in Zoom products could allow a remote authenticated user to bypass implemented security restrictions on the targeted system.
The cybersecurity watchdog has advised users to update to the latest version of the video conferencing software to subvert any prospective issues.
Tagged ‘Medium’ on the severity rating, the exposure has been dubbed as CVE-2022-28758, CVE-2022-28759, and CVE-2022-28760, and have been attributed to improper access control implementation.
In addition, the Indian cybersecurity watchdog also issued a warning against vulnerabilities in Lenovo products such as desktops, laptops, server-related offering ThinkPad, workstation series ThinkStation, among others.
CERT-In is India’s national nodal agency tasked with disseminating information regarding cybersecurity incidents, to deploy measures in the event of an emergency, among other functions.
Zoom Vs Indian Govt
This is not the first time that the video conferencing platform has landed in a soup in India. Back in 2020, the firm suffered a major data leak after it emerged that login details of more 5 Mn Zoom users were being sold on dark web for as little as a pence.
Close on the heels of that, the Indian government had issued an advisory terming the platform altogether ‘unsafe.’
Later, the firm was again marred by controversy amid rumours that Zoom was a Chinese company. This happened in 2020 at the height of geopolitical hostilities between India and China. Such was the impact that the company had to come out and clarify that it was a publicly traded company based out of San Jose, California.
It has, previously, also faced boycott calls from the Confederation of All India Traders (CAIT) that had urged traders and trade associations to boycott the ‘Chinese product.’
Just last week, Zoom suffered a major outage that prevented users from starting or joining meetings. Even 2020 had its fair share of outages that knocked off businesses for many companies and rendered its clients in a limbo.
The Indian Cybersecurity Nightmare
This comes days after the infamous SOVA Android Trojan malware re-emerged on the horizon with newer capabilities that appeared to be targeting Indian banking customers.
In August, CERT-In issued a ‘High’ level advisory that warned users about vulnerabilities in Google Chrome browser that allow hackers to bypass security systems on computers.
This adds to the growing headache for the Indian cybersecurity apparatus which has been pummelled by a flurry of such attacks in the last few months. Earlier this year, Minister of State Chandrasekhar informed the Parliament that more than 6.74 Lakh cybersecurity incidents were reported in the first six months of 2022.
Late last month, a top Google executive noted that the country witnessed more than 18 Mn cyberattacks and 2 Lakh threats per day in the first quarter of the year.
This comes amidst growing incidents of cyberattacks in the country. In August, airline Akasa Air publicly apologised after it emerged that a ‘temporary technical configuration error related to their login and sign-up service’ had led to unauthorised persons viewing personal details of users.
In July, fintech player Policybazaar’s IT systems were subjected to ‘illegal and unauthorised‘ access. In the same month, the Securities and Exchange Board of India (SEBI) also filed an FIR after it emerged that the market watchdog was hit by a cyberattack involving its email system.
