Various vulnerabilities have been exposed in the popular video service as people flock to Zoom during the COVID-19 outbreak.
Best video conferencing apps and softwareBest webcams for working from homeZoom meetings are not as private as advertised: What you should do
The maximum number of daily participants on Zoom skyrocketed from 10 million in December to more than 200 million this month. But with popularity comes scrutiny, and security researchers quickly discovered massive holes in the video app’s security and privacy measures. Zoom will enact a 90-day feature freeze and conduct a third-party security review in order to improve its service, CEO Eric Yuan wrote in a letter to customers. That means Zoom will stop releasing updates that add new features to the service for the next three months. “We recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it,” Yuan admitted. He went on to list the actions Zoom will take to address lingering privacy and security shortcomings. They are as follows:
Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.Preparing a transparency report that details information related to requests for data, records, or content.Enhancing our current bug bounty program.Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.Engaging a series of simultaneous white box penetration tests to further identify and address issues.Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.
Zoom privacy and security woes
Zoom has faced criticism in recent weeks after a seemingly endless string of vulnerabilities were discovered in the service. Yesterday, researchers found that the chat feature in the Zoom Windows client could be used by hackers to steal login credentials because Zoom automatically turns links into clickable UNC paths. On the same day, Motherboard discovered that Zoom was leaking the personal information of thousands of users to strangers. Zoom quickly responded and now claims to have fixed the UNC link issue. But the list of problems facing the chat app goes on. Last week, the company removed the Facebook SDK in its iOS app after a Motherboard report found it was sending data to Facebook, even for Zoom users without a Facebook account. Then, on April 1, the company addressed a report from The Intercept that claimed its encryption policies were misleading. Zoom admitted it did not, as it had first claimed, support end-to-end encryption, and clarified that it uses TLS encryption. Other concerns raised about Zoom include a vulnerability in the macOS Zoom installer, which uses an insecure API. When exploited, a bad actor could gain access to a victim’s computer and install malware or spyware. Also, Zoom is dealing with a new trend called “zoom-bombing,” in which people join a chat for the sole purpose of harassing others. As the problems surrounding Zoom stack up, people and businesses are taking action. For example, SpaceX has banned employees from using the video-conferencing service over “significant privacy and security concerns.” Zoom still has a long way to go before it can win back the trust of users who value their privacy and security. The next 90 days are crucial for Zoom, especially because keeping in touch with people is more important than ever before.