Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.
Zoom vows to win back user trust with extensive security review
The company is under pressure to fix numerous privacy issues.
Zoom has promised to deal with privacy issues exposed by consumers and security experts since the start of the coronavirus pandemic. In a blog post, Zoom CEO Eric S. Yuan said the company will dedicate all of its engineering resources to fixing its "biggest trust, safety, and privacy issues." The work will include a "comprehensive review" with third-party experts to "understand and ensure the security of all of our new consumer use cases."
The investigation will be backed up by transparency report that lists requests for data, he said, an enhanced bug bounty program, as well as a series of white box penetration tests — an approach that gives the tester full knowledge of the company's infrastructure and application source code. In addition, Zoom has vowed to launch a CISO (chief information security officer) council with representatives fro across the industry to "facilitate an ongoing dialogue regarding security and privacy best practices."
Zoom's growth during the spread of COVID-19 has been phenomenal. According to Yuan, the number of free and paid users participating in daily meetings rose from 10 million last December to 200 million last month. The service has attracted users due to its simple interface, cross-platform availability, decent call quality and customisable backgrounds. Alternatives exist, including Skype, Google Duo and Hangouts Meet, Discord and Microsoft Teams, but none of them have seen the same level of uptake.
Zoom's surging popularity has laid bare some of its shortcomings, though. As The Intercept reports, Zoom calls can't be secured with end-to-end (E2E) encryption -- a gold standard offered by Google Duo, WhatsApp and others -- even though the company's website clearly states they can. "It is not possible to enable E2E encryption for Zoom video meetings," a spokesperson told the website in a statement earlier this week.
Patrick Wardle, principal security officer at Jamf and a former NSA hacker, revealed two Mac vulnerabilities yesterday that relied on the attacker having physical access to the user's machine. In today's blog post, Wang said Zoom fixed both issues within 24 hours.
But there's more! According to Feelix Seele, technical lead at malware tracker VMRay, Zoom's Mac installer uses pre-installation scripts and then, unbeknownst to the user, displays a faked system message to confirm what has already happened behind the scenes. "This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste," he tweeted on March 30th. "The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges."
The company also had to update its iOS app last week to remove code that reportedly sent data to Facebook, including the user's time zone and city, basic details about their device, and when they opened the app.
As Vice reports, Zoom is having problems with its Company Directory, too. The normally-handy tool helps people find colleagues who have the same email domain. The problem is that some people sign up through the app with a personal email address and, in some cases, have been grouped together with countless other people who signed up the same way.
The company also changed its privacy policy after users realised their personal information could be used for targeted ads.
Then there's the issue of "Zoombombing." It's a basic but highly effective prank whereby someone guesses a Zoom conference ID number and then, through screen sharing, broadcasts embarrassing or disturbing imagery to everyone on the call. Zoom has addressed this problem for educational users by restricting screen sharing to the host by default. For the average consumer, though, it's still an option they have to enable manually.
Zoom's problems go back even further, though. Last year, Apple removed a hidden Zoom web server that made it easier for Safari users on Mac to join a meeting. Security researcher Jonathan Leitschuh had found a vulnerability earlier in the week that meant any site could theoretically start a Zoom conference call that automatically turned your webcam on. Zoom eventually removed the web server, but Apple was so worried that it issued a silent update to all Mac users, just to be on the safe side.
To win back user trust, Yuan said today that Zoom will be initiating a "feature freeze" until all of its security issues are addressed.
"We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies," the blog post reads. "These are the questions that will make Zoom better, both as a company and for all its users. We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future."
