- The videoconferencing service Zoom faces multiple reported security issues as both use and scrutiny increase.
- In a 48-hour period, reports surfaced that Zoom didn’t use end-to-end encryption for its video meetings and had leaked thousands of email addresses to strangers.
- Compounding its security woes, the Windows version of Zoom is reportedly vulnerable to attackers who could send malicious links to users’ chat interfaces and gain access to their email passwords.
- Visit Business Insider’s homepage for more stories.
It looks as if Zoom’s security problems are snowballing.
According to a Tuesday article from Motherboard, the video-call service inadvertently exposed the personal email addresses and photos of thousands of people. Zoom’s “Company Directory” feature automatically groups together users who share the same email domain; as such, it’s meant to make it easier for work colleagues to find one another.
But since at least mid-March, Twitter users have reported that, despite registering with Zoom using their personal email addresses, Zoom grouped them with thousands of others as if they all worked for the same company, thereby exposing their personal information.
After Motherboard raised concerns with Zoom, a Zoom representative said the company maintained a “blacklist” of domains and “regularly proactively identifies” domains to be added, adding that it had since blacklisted the specific domains highlighted by Motherboard.
The Intercept also reported Tuesday, however, that Zoom didn’t use end-to-end encryption on video meetings, despite using the term frequently in its marketing materials. End-to-end encryption would basically ensure neither external attackers nor Zoom itself could access the contents of a video meeting. Instead, it offers a form of encryption called “transport encryption.” This scrambles the content for external attackers, theoretically, but not for Zoom itself.
Zoom told The Intercept in a statement that it did not directly access users’ data.
Finally, cybersecurity researchers have found the Windows version of Zoom is vulnerable to attackers who could send malicious links to users’ chat interfaces and gain access to their network credentials.
According to ZDNet, the flaw that enables this was first discovered and publicized on Twitter by a cybersecurity researcher going by the alias @_g0dmode. The flaw has since been illustrated and publicized further by another cybersecurity researcher, Matthew Hickey.
Zoom has not yet responded to news of the Windows flaw.
Zoom has witnessed a boom in popularity amid the coronavirus outbreak. In a note seen by CNBC in late February, analysts at Bernstein said the service had added 2.22 million monthly active users so far in 2020 – more than the 1.99 million it added in the whole of 2019.
But the increased popularity also means greater scrutiny.
A Princeton computer-science professor, Arvind Narayanan, criticised Zoom for possessing multiple security issues, describing its service as “malware” in a tweet Tuesday. “The problems aren’t new but suddenly everyone is forced to use Zoom,” he added in a follow-up. “That means more people discovering problems and also more frustration because opting out isn’t an option.”
Other security researchers are more circumspect, saying there should be “less hysteria” around the service. “Users sacrifice far more privacy using services like Facebook, WhatsApp, Gmail, Google Search, and even commercial operating systems, than they do by using Zoom,” Charl van der Walt, the head of research at Orange Cyberdefense, told Business Insider.
Zoom did not immediately respond to Business Insider’s request for comment.