Your average user takes it for granted that websites know when you've visited before, whether you were logged in and even what you had in your basket last time you shopped. In most cases this magic customisation is possible through the use of Cookies. Cookies are small pieces of information that are stored on devices by websites in order to identify users - this allows websites to customise the content they deliver to each person.
Although some functionality afforded by cookies can be helpful in increasing the security and accessibility of websites, there have long been privacy concerns with companies being able to track you across the Internet. Many concerns are related to the use of tracking and advertising cookies, and how companies use and abuse this data to manipulate customers. Since the introduction of the ePrivacy Directive and the GDPR, cookies have received a lot of attention in discussions about online privacy.
During the last month, Threatspike EDR detected the widely used Zoom Windows client accessing the Google Chrome cookie file during the uninstall process.
This was flagged as suspicious behaviour and we decided to get to the bottom of why this access was taking place and whether there was any malicious intent.
We carried out the following steps:
- started with a clear Cookie file;
- downloaded the Zoom application;
- accessed the zoom.us website;
- accessed several websites, including uncommon ones;
- saved a list of cookies;
- uninstalled Zoom; and
- saved a new list of cookies to identify changes made by Zoom.
Zoom cookies are firstly written when the user connects to the website zoom.us and accepts the cookies options. Some extra cookies are added when the user logs in to the website.
This behaviour is generally expected. The surprising thing comes when a user tries to uninstall the Zoom client from a Windows machine. The file install.exe is seen accessing the user's Chrome Cookies file and reading parts of the file that do not contain Zoom related information.
We decided to look closer at the read operations performed during the uninstall process. The question we wanted to answer was: is Zoom purposely and selectively accessing cookies from other websites?
The above mentioned procedure was repeated with files containing different amounts of cookies and belonging to different websites. The reason for accessing unrelated websites (such as the Hackney council, an Italian supermarket and a famous popstar fan page) is that it is unlikely Zoom would want to selectively store the information contained in these cookies. From our tests we found that the cookie files were accessed through the same pattern where cookies were read in a non selective manner. We, therefore, concluded that the behaviour observed in the above image could be attributed to a binary tree search to find the Zoom cookie, rather than Zoom looking to access (and possibly steal) other cookies.
Nevertheless, an anomalous and interesting aspect of the uninstall process was observed by comparing the cookie file before and after uninstalling the desktop app. The installer.exe process is seen writing the following new cookies.
The cookies with no expiration date (also known as session cookies) will be removed from the cookie history when the browser is closed. On the other hand, NPS_0487a3ac_throttle, NPS_0487a3ac_last_seen, _zm_kms and _zm_everlogin_type do have expiry dates. In particular, the latter has a duration set to 10 years.
Based on the name of this cookie “everlogin” it is assumed that this stores information about whether the user has ever logged into Zoom. The fact a process would store this information when the application is being uninstalled (i.e. when the user has decided not to use it any more) is, to say the least, questionable. Keeping this information for 10 years is clearly not in compliance with the ePrivacy Directive:
All persistent cookies have an expiration date written into their code, but their duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.
Keeping track of users activity on the internet is not bad in itself. However, the average users will not dig much deeper into the meaning of the “Accept all cookies” button they see so often. It is, therefore, companies’ responsibility to respect what is recommended by pieces of legislation such as the ePrivacy Directive and the GDPR and ensure that everyone has a fair experience on the Internet.
Findings like this one make you question the integrity of widely used online services in the protection of user’s data and their privacy.
from Hacker News https://ift.tt/2QxP25q
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.