Archive for GoTo

GoTo Sends Its Customers A Note On Video Conference Security….. To Throw Some Shade On Zoom Perhaps?

Posted in Commentary with tags , on July 11, 2019 by itnerd

Zoom who have had a couple of issues this week that made the news, which did get fixed by Zoom and Apple, now may be having their competitors throw some shade on them. Case in point is GoTo which own GoToMeeting, GoToWebinar among other products. I was tipped off by a reader that they got an email that takes you to this blog entry which details why their security is better than Zoom’s security:

To be perfectly clear, LogMeIn and our meeting products, including GoToMeeting, GoToWebinar, GoToTraining, GoToConnect and, do not have this security design flaw. This flaw is not, and has never been, part of our products.

However, it is helpful to understand the report itself and why the approach has caused such concern. The root of the issue is a web server which is installed as part of Zoom’s native Mac client to allow it to launch the Zoom app from a web page, bypassing the operating system’s security controls. By bypassing normal browser-based security, this web server can be used to activate/trigger the user’s camera (and potentially execute other harmful code on the user’s machine). Worse, when the client is uninstalled, this active webserver is left behind on the machine.

LogMeIn also delivers simple meeting launching from a web browser, but does it in a much more secure way, using URI handlers. As Jonathan writes in his report: “Alternative methodologies like registering custom URI handlers (for example, a xxxx:// URI handler) with the browsers is a more secure solution. When these URI handlers are triggered, the browser explicitly prompts the user for confirmation about opening the app.”This is exactly how we handle our launch of an already installed LogMeIn application such as GoToMeeting and our other collaboration products.

This security posture avoids bypassing operating system or browser security controls. We take a similar stance towards privacy with things like video (we do not enable video by default) and always offering clean uninstalls.

Additionally, we offer the web clients for our products that can be used in scenarios where downloading an application is not an option or is security restricted.

So. I’ll ask the question. Is this informational to reassure customers that GoTo products are secure? Or is this meant to throw a bit of shade on Zoom? Or perhaps both? I guess it depends on your perspective. But I do expect that others who are in the video conferencing game to join in on the fun and perhaps do the same thing that GoTo is doing in some form.