Collaboration Platforms at Risk of Security Flaws
Vulnerabilities could expose UC users’ personal data to hackers and allow eavesdropping
Developers should put more efforts into securing communications platform against the loss of data from users and a business’s customers, according to industry figures.
Recently, there have been a number of reports about communications platforms having significant security vulnerabilities associated with storage or access to user data. Among the platforms affected include Slack, WhatsApp, Telegram, Instagram, SnapChat, Zoom and others.
Symantec exposed a vulnerability associated with the secure messaging apps WhatsApp and Telegram, on the heels of news around Zoom with a severe security vulnerability.
The bugs in WhatsApp and Telegram stem from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.
In an interview with UC Today, Chris Howell, CTO and co-founder of end-to-end encryption platform, Wickr, said that such platforms re years in development and millions of lines of code. All this code requires many developers, development managers, product teams, QA teams, infrastructure teams, support teams, processes and procedures to maintain them.
It is in that code where the security issues crop up.
“Security bugs generally bring have significant user impact in terms of loss of privacy, etc, which also makes them more “lucrative” for bad actors to find,” he said.
“It’s harder to test for security bugs, too, which means absent specific skill and attention, the quality of security testing on the whole is probably lower vs. functional testing at most organisations”
He said that his company has spent a lot of time building a security test program, which has many facets, “from security unit testing by developers to white box penetration testing by third parties, both formally engaged and via bug bounty programs. It takes that kind of broad base effort”.
Howell adds that testing that is part of the development processes is probably the most effective, but it’s also hard to measure and almost always the first thing that gets cheated when deadlines loom. “Then, when bugs are found in production, it’s typically QA testing (the last round of testing) that’s scrutinised, which isn’t necessarily the best place to point the finger,” he said.
Lifesize’s CEO Craig Malloy, told UC Today that security is too often an afterthought in video communication:
“While the user experience is undeniably important, it means absolutely nothing if customers can’t trust that their critical business communications and sensitive data are protected in the most responsible, secure ways possible”
“The Zoom exploit method reported further reinforces why sacrificing security for convenience is made worse by the fact that it still does not encrypt video calls by default for the vast majority of its customers,” he said.
He added that building comms services upon secure open standards like WebRTC, ensures “enterprise-grade security controls are turned on by default” and business is conducted “on a foundation of transparency and trust” with customers.