Understanding LogMeIn's UCC Security Approach - GotoMeeting

philipp-katzenberger-iIJrUoeRoCQ-unsplash-scaled

From the GoTo Blog:

LogMeIn builds our collaboration solutions – like GoToMeeting, GoToWebinar, GoToConnect, Jive, and join.me – with security and privacy as core design tenets. From our code and system architecture, to our hosting and cloud infrastructure, to our secure development sites and locations, we develop and test our products to deliver the highest level of confidentiality, integrity and availability. Our solutions not only “just work,” they do so securely and reliably, for tens of millions of users around the globe every month.

Earlier this week, Jonathan Leitschuh, a software engineer and security researcher at Gradle Inc., released a security report (CVE-2019-13450) detailing security vulnerabilities in Zoom’s meeting product, and the company’s sluggish response to initial reports of this serious issue. The leadership of this company has also asserted that other software vendors in the industry expose their users to the same vulnerability.

To be perfectly clear, LogMeIn and our meeting products, including GoToMeeting, GoToWebinar, GoToTraining, GoToConnect and join.me, do not have this security design flaw. This flaw is not, and has never been, part of our products.

However, it is helpful to understand the report itself and why the approach has caused such concern. The root of the issue is a web server which is installed as part of Zoom’s native Mac client to allow it to launch the Zoom app from a web page, bypassing the operating system’s security controls. By bypassing normal browser-based security, this web server can be used to activate/trigger the user’s camera (and potentially execute other harmful code on the user’s machine). Worse, when the client is uninstalled, this active web server is left behind on the machine.

LogMeIn also delivers simple meeting launching from a web browser, but does it in a much more secure way, using URI handlers. As Jonathan writes in his report: “Alternative methodologies like registering custom URI handlers (for example, a xxxx:// URI handler) with the browsers is a more secure solution. When these URI handlers are triggered, the browser explicitly prompts the user for confirmation about opening the app.”This is exactly how we handle our launch of an already installed LogMeIn application such as GoToMeeting and our other collaboration products.

This security posture avoids bypassing operating system or browser security controls. We take a similar stance towards privacy with things like video (we do not enable video by default) and always offering clean uninstalls.

Additionally, we offer the web clients for our products that can be used in scenarios where downloading an application is not an option or is security restricted.

LogMeIn, with products like GoToMeeting, join.me and more, has long been the leader for secure professional meetings for millions of users. Whether it be on the wire encryption, signed software images, role-based access, operational security, or complying with SOC2 and other regimes.

For more information please download our security whitepaper that describes our approach to confidentiality, integrity and availability or check out LogMeIn’s Trust Center.