Glad to see the company is changing course, but I’m not sure it would have happened without the public shaming. I want companies to fix things because something is insecure and it endangers the public, not because they have their feet to the fire.
I know companies don’t always respond right the first time, I know I haven’t, but Zoom had over 90 days to consider their responses and possible options / software changes. Instead, they were dismissive of the entire thing and only changed course after loud public pressure.
> but I’m not sure it would have happened without the public shaming.
It wouldn’t. From the article:
> The move is a surprise reversal of Zoom’s previous stance, in which the company treated the vulnerability as “low risk” and defended its use
They’re backpedaling because of the bad press, not because they think this is better for users. And if they don’t believe what they did was wrong (if they did, they would have never done it or would have fixed it previously), it’s just a matter of time until they pull other crap like this. This is not the only user-hostile behaviour of their app[1], it’s just the most egregious we know of.
Most corporate bounty programs are going to include an NDA and following their release schedule. No corporate legal department is going to sign off on a bounty program that would both pay third parties for bugs and allow outside researchers to unilaterally decide when to disclose the bug to a wider audience.
They include an NDA, but a time-limited one - i.e. they require the researcher to give them a period of time (usually 90 days or more) to create, test, and deploy a fix, after which time the researcher can publish. Zoom's NDA was a permanent gag order, which puts no pressure on the company to actually fix the issue and doesn't alert laggard users that they need to update their software.
This seems par for the course for their support. I tried to report that their signup form automatically, silently deletes spaces from your password (!?). After a painful process of trying to explain the issue, it was summarily ignored.
They didn't really seem to understand that it was a bug.
It's annoying in either case. Passwords should be any string I want! You're just going to hash it anyway.
I found it particularly egregious that Zoom's form auto-trims any spaces from the end of the string - so they are deleted as you type with no feedback (unless you happen to be watching the dots flicker).
I remember when I started out with SQL databases, someone managed to hack the site using SQL injects. So I made a SQL sanitation function, but soon enough someone complained that they couln't have escape characters in their password. =)
Now a days I always use a library that parameterize all SQL variables to avoid SQL injections.
Yes, you can paste a string with internal spaces. I guess you can also disable JS and type whatever you want. Passwords with spaces work absolutely fine, too - it's just the signup form that is broken.
They probably had to many people accidentally copy-pasting strings with spaces into the form. Like the good old "double click to select a word" also picking up the space after the word.
The reason I can empathize with your complain is it being highly unlikely they are able to keep those restrictions consistent across all password forms & login methods.
The Microsoft telemetry spyware was completely opaque and they kept changing it to work around users blocking it until they were shamed into publishing almost everything they collect. One still can't turn it off.
Apple usually needs to be shamed into admitting to and repairing any broken hardware design. They had to be sued in multiple countries to stop misleading customers to buy AppleCare and allow them to use the warranty guaranteed by law.
That’s more of a reason not to trust anything ever. If leaders change for the worse, your investment in the company gets screwed no matter how well they’d done previously. And that investment can be stocks or it can be data, to give an example which you can’t just pull.
Leaders influence company culture but it's also a self-feedback loop where leaders that fit the company culture end up being leaders in the first place. To break that feedback loop and change course is usually a conscious choice for a company. Even then leadership change and direction at the top is only one of the many signals.
It's entirely possible for Zoom's CEO to be a security minded person and the PM/Infosec person who reviewed the security report decided it's not a flaw worth patching.
Microsoft and Apple have barely changed in all the ways they are bad though. Specifically Microsoft has just moved to a different place in the embrace expand extinguish cycle. Give it a few years and everyone will hate them again (and maybe be surprised that it happened at all) because they did something unethical.
I think that we'll never see the same feelings about Microsoft as existed in its heyday precisely because those feelings weren't just about what Microsoft tried to do, but actually about what it did. Microsoft will (probably) never again enjoy the hegemony it once did; so, however evilly it acts, it'll never be able to translate its evil deeds into the same impact that they once had.
Companies are not interested in not endangering their users. They only care about making money. So you have the make endangering their users negative on their bottom-line.
This is a perfectly workable system, that does not require any party to not be selfish. It's a much better system that those that require somebody to be 'good' rather than 'rational'
This is typically what laws are for. Sadly, those of us in the Land of the Free will probably have to wait a decade or two to get anything reasonable, so I fully expect this trend to continue as-is for now.
I know companies don’t always respond right the first time, I know I haven’t, but Zoom had over 90 days to consider their responses and possible options / software changes. Instead, they were dismissive of the entire thing and only changed course after loud public pressure.