- Videoconferencing service Zoom faces multiple reported security issues as both usage and scrutiny increase.
- In the last 48 hours, reports surfaced that Zoom doesn’t use end-to-end encryption for its video meetings and that it leaked thousands of email addresses to strangers.
- Compounding its security woes, the Windows version of Zoom is reportedly vulnerable to attackers who could send malicious links to users’ chat interfaces and gain access to their email passwords.
- Visit Business Insider’s homepage for more stories.
It looks like Zoom’s security problems are snowballing.
According to a Tuesday article from Motherboard, the video-call service inadvertently exposed the personal email addresses and photos of thousands of people. Zoom’s “Company Directory” feature automatically groups together users who share the same email domain; as such, it’s meant to make it easier for work colleagues at individual companies to find each other.
But since at least mid-March, Twitter users have reported that, despite registering with Zoom using their personal email addresses, Zoom grouped them with thousands of others as if they all worked for the same company, thereby exposing their personal information to each other.
After Motherboard raised concerns with Zoom, a Zoom spokesperson said it maintains a “blacklist” of domains and “regularly proactively identifies” domains to be added, adding that it has since blacklisted the specific domains highlighted by Motherboard.
Meanwhile, The Intercept also reported Tuesday that Zoom doesn’t use end-to-end encryption on video meetings, despite using the term frequently in its marketing materials. End-to-end encryption would basically ensure neither external attackers nor Zoom itself could access the contents of a video meeting. Instead, it offers another form of encryption called “transport encryption.” This scrambles the content for external attackers, theoretically, but not for Zoom itself.
Zoom told The Intercept in a statement that it does not directly access users’ data.
Finally, cybersecurity researchers have found the Windows version of Zoom is vulnerable to attackers who could send malicious links to users’ chat interfaces and gain access to their network credentials.
According to ZDNet, the flaw that enables this was first discovered and publicized on Twitter by a cybersecurity researcher going by the alias @_g0dmode. The flaw has since been illustrated and publicized further by another cybersecurity researcher, Matthew Hickey.
Zoom has not yet responded to news of the Windows flaw.
Zoom has witnessed a boom in popularity amid the coronavirus outbreak. In a note seen by CNBC, analysts at Bernstein said it’s added 2.22 million monthly active users so far in 2020 – more than the 1.99 million it added in the whole of 2019.
But the increased popularity also means greater scrutiny.
Princeton computer science professor Arvind Narayanan criticized Zoom for possessing multiple security issues, describing its service as “malware” in a tweet Tuesday. “The problems aren’t new but suddenly everyone is forced to use Zoom. That means more people discovering problems and also more frustration because opting out isn’t an option,” he added in a follow-up.
Other security researchers are more circumspect, stating that there should be “less hysteria” around the service. “Users sacrifice far more privacy using services like Facebook, WhatsApp, Gmail, Google Search, and even commercial operating systems, than they do by using Zoom,” Charl van der Walt, head of research at Orange Cyberdefense, told Business Insider.
Zoom did not immediately respond to Business Insider’s request for comment.