Series of Zoom privacy and security issues cause headache to the company
Photos and email addresses of thousands of Zoom users have been exposed to strangers, allowing them to connect over a video call. Zoom, a company that offers video-conferencing tools to individuals and businesses, is subject to another data breach. Recently, the company apologized for inadvertently sharing user data with Facebook.
Zoom leaks email addresses and photos
Remote video conferencing tools such as Zoom and Microsoft Teams continue to witness an increased demand in the wake of the coronavirus outbreak. Due to the ongoing outbreak, companies around the world have asked their employees to work remotely from their homes, causing a surge in demand for services like Zoom.
A bug in Zoom Company Directory setting may have enabled thousands of users to add strangers to their list of contacts, Motherboard reports. It’s affecting users who signed for a Zoom account using an email address that shares the same domain.
Sharing email addresses of people working in the same company as yours may help you locate your colleagues on Zoom and vice versa, even though you may not necessarily want everyone in your organization to view your email address or even worse, your profile picture.
Bad to worse, the bug even affected some individuals who signed up using their email addresses, mistakenly identifying them as co-workers and exposing their personal information including their photos to one another.
“By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section”
The report suggests this is not true and Zoom’s contacts directory doesn’t always exempt publicly used domains in the Company Director section. Meanwhile, Zoom is yet to issue clarifications.
Last week, Zoom was caught sharing user data from its iOS app to Facebook, irrespective of the fact that not all Zoom users had a Facebook account. Zoom later acknowledged and fixed the issue by making changes to how it uses Facebook’s SDK.
Zoom calls don’t use end-to-end encryption
Meanwhile, there are multiple reports raising concerns about Zoom not using end-to-end encryption on video meetings. Zoom has clarified the situation and acknowledged that it incorrectly suggested meetings were capable of using end-to-end encryption.
“To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”
Zoom could steal Windows credentials
Zoom’s Windows client is susceptible to a vulnerability that could allow attackers to steal your Windows credentials, reports BleepingComputer. A security bug in the Zoom Windows client leads to UNC path injection in the client’s chat feature. In addition to URLs that get converted into hyperlinks on chat, Zoom allegedly converts Windows networking UNC paths into a clickable link, which ultimately compromises Windows network credentials.
The Federal Bureau of Investigation (FBI) has issued a warning about ‘Zoombombing’ after several incidents of trolls hijacking into Zoom calls were reported. Multiple Zoom users complained about incidents where trolls hijacked into Zoom calls and played adult videos.
Tanmay loves writing about Technology, Internet, Apps, Social Media, and Cybersecurity. He also tracks OTT video content streaming space and likes to spend his weekends watching plays. You can contact him on Twitter @techtsp.