Collaboration Platforms at Risk of Security Flaws

Vulnerabilities could expose UC users’ personal data to hackers and allow eavesdropping

Collaboration Platforms at Risk of Security Flaws

Developers should put more efforts into securing communications platform against the loss of data from users and a business’s customers, according to industry figures.

Recently, there have been a number of reports about communications platforms having significant security vulnerabilities associated with storage or access to user data. Among the platforms affected include Slack, WhatsApp, Telegram, Instagram, SnapChat, Zoom and others.

Symantec exposed a vulnerability associated with the secure messaging apps WhatsApp and Telegram, on the heels of news around Zoom with a severe security vulnerability.

Chris Howell

Chris Howell

The bugs in WhatsApp and Telegram stem from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.

In an interview with UC Today, Chris Howell, CTO and co-founder of end-to-end encryption platform, Wickr, said that such platforms re years in development and millions of lines of code. All this code requires  many developers, development managers, product teams, QA teams, infrastructure teams, support teams, processes and procedures to maintain them.

It is in that code where the security issues crop up.

“Security bugs generally bring have significant user impact in terms of loss of privacy, etc, which also makes them more “lucrative” for bad actors to find,” he said.

“It’s harder to test for security bugs, too, which means absent specific skill and attention, the quality of security testing on the whole is probably lower vs. functional testing at most organisations”

He said that his company has spent a lot of time building a security test program, which has many facets, “from security unit testing by developers to white box penetration testing by third parties, both formally engaged and via bug bounty programs.  It takes that kind of broad base effort”.

Howell adds that testing that is part of the development processes is probably the most effective, but it’s also hard to measure and almost always the first thing that gets cheated when deadlines loom.  “Then, when bugs are found in production, it’s typically QA testing (the last round of testing) that’s scrutinised, which isn’t necessarily the best place to point the finger,” he said.

Lifesize’s CEO Craig Malloy, told UC Today that security is too often an afterthought in video communication:

“While the user experience is undeniably important, it means absolutely nothing if customers can’t trust that their critical business communications and sensitive data are protected in the most responsible, secure ways possible”

Craig Malloy

Craig Malloy

“The Zoom exploit method reported further reinforces why sacrificing security for convenience is made worse by the fact that it still does not encrypt video calls by default for the vast majority of its customers,” he said.

He added that building comms services upon secure open standards like WebRTC, ensures “enterprise-grade security controls are turned on by default” and business is conducted “on a foundation of transparency and trust” with customers.


Got a comment?

Ian TaylorIan Taylor 11:32, 18 Jul 2019

Good points made here. WebRTC could have avoided the issue? What do YOU think?

Reply to this comment
  • AvatarTsahi Levent-Levi 16:42, 18 Jul 2019

    Ian, WebRTC would make this question moot. There would be no need to install anything, hence no need for a local web server and no security risk of this kind.

    I’ve written about it here: https://bloggeek.me/zoom-app-vulnerability-shows-why-webrtc-is-important/

    That said, it doesn’t mean that WebRTC-based services are always secure. Just that they suffer from a different (smaller?) surface for potential attacks.

    Reply to this thread

Please login to comment


Popular Posts

Related Articles