Zoom's security and privacy problems are snowballing

Authored by businessinsider.com and submitted by maxwellhill
image for Zoom's security and privacy problems are snowballing

The videoconferencing service Zoom faces multiple reported security issues as both use and scrutiny increase.

In a 48-hour period, reports surfaced that Zoom didn't use end-to-end encryption for its video meetings and had leaked thousands of email addresses to strangers.

Compounding its security woes, the Windows version of Zoom is reportedly vulnerable to attackers who could send malicious links to users' chat interfaces and gain access to their email passwords.

Visit Business Insider's homepage for more stories.

It looks as if Zoom's security problems are snowballing.

According to a Tuesday article from Motherboard, the video-call service inadvertently exposed the personal email addresses and photos of thousands of people. Zoom's "Company Directory" feature automatically groups together users who share the same email domain; as such, it's meant to make it easier for work colleagues to find one another.

But since at least mid-March, Twitter users have reported that, despite registering with Zoom using their personal email addresses, Zoom grouped them with thousands of others as if they all worked for the same company, thereby exposing their personal information.

After Motherboard raised concerns with Zoom, a Zoom representative said the company maintained a "blacklist" of domains and "regularly proactively identifies" domains to be added, adding that it had since blacklisted the specific domains highlighted by Motherboard.

The Intercept also reported Tuesday, however, that Zoom didn't use end-to-end encryption on video meetings, despite using the term frequently in its marketing materials. End-to-end encryption would basically ensure neither external attackers nor Zoom itself could access the contents of a video meeting. Instead, it offers a form of encryption called "transport encryption." This scrambles the content for external attackers, theoretically, but not for Zoom itself.

Zoom told The Intercept in a statement that it did not directly access users' data.

Finally, cybersecurity researchers have found the Windows version of Zoom is vulnerable to attackers who could send malicious links to users' chat interfaces and gain access to their network credentials.

According to ZDNet, the flaw that enables this was first discovered and publicized on Twitter by a cybersecurity researcher going by the alias @_g0dmode. The flaw has since been illustrated and publicized further by another cybersecurity researcher, Matthew Hickey.

Zoom has not yet responded to news of the Windows flaw.

Zoom has witnessed a boom in popularity amid the coronavirus outbreak. In a note seen by CNBC in late February, analysts at Bernstein said the service had added 2.22 million monthly active users so far in 2020 — more than the 1.99 million it added in the whole of 2019.

But the increased popularity also means greater scrutiny.

A Princeton computer-science professor, Arvind Narayanan, criticized Zoom for possessing multiple security issues, describing its service as "malware" in a tweet Tuesday. "The problems aren't new but suddenly everyone is forced to use Zoom," he added in a follow-up. "That means more people discovering problems and also more frustration because opting out isn't an option."

Other security researchers are more circumspect, saying there should be "less hysteria" around the service. "Users sacrifice far more privacy using services like Facebook, WhatsApp, Gmail, Google Search, and even commercial operating systems, than they do by using Zoom," Charl van der Walt, the head of research at Orange Cyberdefense, told Business Insider.

Zoom did not immediately respond to Business Insider's request for comment.

TheGreatBwaBwa on April 2nd, 2020 at 16:01 UTC »

I can see someone there saying "this is a problem brought on by mass use and being popular. This is a good problem to have"

Lol

sumelar on April 2nd, 2020 at 14:43 UTC »

Never heard of zoom til we used it for a D&D game last weekend, now it's goddamned everywhere.

bartturner on April 2nd, 2020 at 13:21 UTC »

I love it. Only because it is a live example on the issue with security through obscurity.

Zoom has always been extremely insecure. But people did not realize until became popular and people did some actual looking.

It is why security through obscurity is so, so, so bad.