In April 2019, Dropbox invited 45 hackers from 11 countries to an event in Singapore aimed at hacking Dropbox’s own products (Dropbbox.com, Dropbox Paper, HelloSign), as well as those of its partners; all this as part of its commitment to a policy of economically incentivizing hackers to detect their vulnerabilities and thus be able to solve them more quickly.

Two of the invited hackers, while flying to Singapore from Australia, decided to test the software from one of those partners, a video call application called Zoom, which was still far from reaching its current fame (which has resulted in millions of new users), but it was already widely used by Dropbox employees.

They quickly discovered a serious vulnerability, one that allowed a possible attacker take control of Mac computers from certain users. Another guest at the event discovered Another vulnerability that allowed to secretly watch video calls of users when they were using a Wi-Fi connection.

So when faced with the string of cybersecurity and privacy scandals chained in recent weeks by Zoom, Silicon Valley investors come out in defense of this app claiming these issues were “unpredictable” because during the current coronavirus crisis it is being given a different use than that planned by its developers (as did Alex Stamos, recently signed on as Zoom’s security advisor), voices are raised (like those of former Dropbox engineers cited by the New York Times) exclaiming that nothing is ‘unpredictable’, that Zoom has been dragging these problems for a couple of years at least.

In fact, in 2018 Dropbox went on to develop a duplicate Zoom (called ‘Vroom’) and encouraged its own template to hack it as a way to review your partner’s bad practices. The aforementioned ex-Dropbox engineers (anonymous, being linked to confidentiality clauses) also highlighted the slowness of their Zoom counterparts to solve the detected errors during the Singapore hacker event: up to 3 months, in some cases.

Dropbox’s interest in Zoom – it is not usual for companies ‘bug bounty programs’ to also detect vulnerabilities in their partners – had a double motivation: both the company itself and one of its managers at a private level are Zoom investors; and, in addition, the integration that Dropbox offers with Zoom video calls made them fear for the safety of their own users.

Chris Evans, former chief security officer at Dropbox, says he has “no doubt that Zoom has been able to react to the current problem of ‘zoombombing’ thanks to Dropbox’s early interest in the application“and to all the suggestions they made to Zoom as a result of that. Zoom recently announced that for the next three months the application will stop adding new features and will subject your code to a security audit.

