Two years ago, after Facebook’s Cambridge Analytica scandal came to the fore, there was a new story of the social network’s privacy and security mishap every other day. In the past couple of weeks, video conferencing Zoom has found itself in a similar boat.
Security researchers and experts have found multiple holes in the app in terms of data privacy and security. Some of them have also asked users to stay away from the service and find alternatives. In this story, we’re going to explore what happened to Zoom, and whether you need to avoid the platform completely.
The rise and disasters
Last month, as coronavirus pandemic began to spread rapidly across the world, a lot of countries announced lockdowns to flatten the curve, and control the number of cases. With more and more people working from home, apps like Zoom became very handy for meetings. The app’s userbase shot up from 10 million to 200 million daily active users in March.
But with its exponentially rising popularity, Zoom’s privacy and security loopholes began to show up. Earlier last month, digital privacy organization Electronic Frontier Foundation (EFF) pointed out some shocking problems in the platform. First, a meeting’s host had the ability to track participants’ attentiveness through a special feature. Second, if you record any calls, admins of the call or your company can access all of its content. What’s more, for every meeting, admins can capture your data such as operating system, IP address, location data, and device information of each participant.
Later in the month, after several reports, the company said the attention tracking feature is off by default — not a very satisfying answer.
Hi, attention tracking feature is off by default – once enabled, hosts can tell if participants have the App open and active when the screen-sharing feature is in use. It does not track any aspects of your audio/video or other applications on your window. https://t.co/sWWfrsXe42
— Zoom (@zoom_us) March 22, 2020
In the middle of the month, Zoom meeting attendees started facing a rather strange problem — Zoombombing. The term originated from phenomena of hackers hijacking video conferences to show porn. As TechCrunch noted in a story, you need to disable anyone taking control of the screen, sharing files without permission moderators, and a bunch of other settings prior to the call.
Then came the security risks. Last week, Zoom’s iOS app was found secretly sending your data to Facebook; the company later removed the code responsible for that. Earlier this week, Motherboard’s Joseph Cox reported that the video conferencing app was leaking people’s email addresses and photos to strangers, if they were under the same company.
Days later, Bleeping Computer reported that Zoom’s Windows client could be hacked to steal passwords. In separate research, The Intercept found that despite the company’s claim, its meetings are not encrypted end-to-end.
Software engineer Felix Seele also noted that Zoom’s client for macOS stealthily works around the system’s default installer in a similar manner to a malware.
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020
Patrick Wardle, the principal security researcher at Jamf, also pointed out two zero-day bugs that allowed a local attacker — someone who already has control of the system — to install malware and gain control of mic and webcam to arbitrarily record footage.
Security researcher Troy Hunt said Zoom is under the spotlight because it has suddenly gained popularity, and we might see similar incidents if another app becomes popular:
Zoom is coming under the spotlight as it’s suddenly had a meteoric and unexpected growth in adoption. Most of what we’re seeing isn’t unique to their platform; terms and conditions that are favourable to them in terms of how they handle data, obscure vulnerabilities unearthed once there’s more focus on the platform, abuse of the service as more people use it etc. If another service gains popularity, I have no doubt we’ll see similar findings.
This sudden influx of privacy and security faults can be a result of a large number of people using the app, and more cybersecurity experts looking at the app closely.
What is the company doing
Earlier this week, Zoom’s CEO, Eric Yuan, wrote a lengthy blogpost that apologized for the company’s security fuck-ups, and said it’s going to take a number of steps to ensure that its customers have a better experience:
- The company’s freezing all the features for 90 days and committing to enhancing the security of the platform.
- It has fixed most of the aforementioned bugs.
- It’s enhancing its bug bounty program and conducting a thorough security review via third-party experts.
- The company wrote a separate blog post to clear up confusion related to is encryption standards.
- Yuan is hosting a weekly privacy review call on every Wednesday.
While these are some welcome steps, Wardle thinks we might see more bugs in coming weeks:
Zoom is a relatively young company, and like a lot of companies, was focused on building features instead of looking at its privacy and security. So, we might see more vulnerabilities uncovered in the coming weeks. However, Zoom’s recent steps and quick bugfixes are in the right direction, and we may see the number of flaws reduce over time.
We’ll have to keep a close eye on those weekly calls to monitor the company’s responses to newly found bugs.
So should you use Zoom?
The advantage of using Zoom is that it’s quick to set up and use. Plus, it’s available across multiple platforms. So, there’s no wonder people prefer its meetings and online classrooms.
EFF told me in a statement that people are rightfully worried about their privacy:
COVID-19 has forced many people to work from home, and many are relying on Zoom to do their jobs, do their school work, and stay in touch with loved ones. Users are rightfully concerned about the privacy and security risks of using Zoom and other videoconferencing apps.
We’re troubled by reports that Zoom was sharing analytics data about users with Facebook. We still don’t know to what extent Zoom shares user information with other third parties.
However, while the company has responded to the backlash in a right way, hackers are trying to find new ways to exploit Zoom. As ZDNet pointed out in a report, pranksters are creating dedicated channels on Reddit, Discord, and various hacking forums to form raiding parties.
Cybersecurity firm Checkpoint noted in a report last week, that this year, the number of domain names registered with “Zoom” has surged past 1,7000 — with 25% of them registered last week.
So, in case you’re going to discuss sensitive information over a video call, it’s better to avoid Zoom for now and opt for a more secure alternative like Cisco’s Webex.
In case you’re using Zoom, you can use thesehandy guides to make your call more secure. While these video conferencing apps are quite useful for you to communicate with colleagues or friends during the lockdown, it’s important for you to take a good look at how they protect your data.
Zoom’s current set of problems looks quite bad, but if the company can act swiftly and communicate in a transparent way, it can salvage its reputation, and become the top choice for remote meetings for people again.