Zoom security issues: Here’s everything that’s gone wrong (so far).

Dozens of security and privacy issues were found in Zoom. Here’s an updated list.

Are you using Zoom? Anyone who had to work from home or do schoolwork during the ongoing coronavirus pandemic has used the videoconferencing platform for meetings, lessons and even social gatherings.

There are good reasons why Zoom got off the ground and other platforms didn’t do that so well. Zoom is easy to set up, easy to use, lets up to 100 people join a meeting for free, and now even generates live subtitles. It just works.

But Zoom’s ease of use has made it easy for troublemakers to “bomb” open Zoom meetings. Information security professionals say Zoom’s security has had many holes, although most have been fixed in recent years.

After the lock started, Zoom added two-factor authentication as a security option, giving users a powerful weapon to protect their accounts from takeover.

Zoom’s privacy policy was also looked at, which seemed to give Zoom the right to do what it wanted with users’ personal data in early 2020, and the encryption policy, which was rather misleading.

That caused a backlash against Zoom early in the pandemic. In April 2020, New York City public schools moved to ban Zoom meetings, and other school systems did the same, though New York lifted the Zoom ban a month later.

With all these issues, people have been looking for alternatives to Zoom, so check out our Skype vs Zoom face-off to see how an old video app has adapted for video conferencing. We also compared Zoom vs. Google Hangouts.

Zoom is still safe to use in most cases

Is Zoom unsafe to use? No. Unless you discuss state or trade secrets or disclose personal health information to a patient, Zoom should be fine.

For school classes, meetings after work or even workplace meetings that stick to routine matters, there is not much risk when using Zoom. Kids are likely to keep coming there, as they can even use Snapchat filters on Zoom.

Zoom security tips

Join Zoom meetings through your web browser instead of the Zoom desktop software. The web browser version gets security improvements faster.

“The web version is located in a sandbox in the browser and does not have the rights that an installed app has, limiting the amount of damage it may cause,” notes information security firm Kaspersky.

When you click a link to join a meeting, your browser opens a new tab and prompts you to use or install the Zoom desktop software. But in the fine print there is a link to join from your browser. Click on that.

If you’re organizing a Zoom meeting, ask meeting participants to sign in with a password. That makes Zoom bombing much less likely.

Set up two-factor authentication for your Zoom account.

Zoom creates a huge “attack surface” and hackers will respond to it in any way possible. They have already registered many Zoom-related fake domains and are developing Zoom-themed malware.

The advantage is that if many shortcomings are found in Zoom and fixed immediately, Zoom will be better and safer for it.

“Zoom will soon be the safest meeting tool out there,” tech journalist Kim Zetter wrote on Twitter in April 2020. ‘But it’s a shame they didn’t spare themselves some grief and carried out a number of safety reviews themselves to avoid this lawsuit. by fire. “

Opposite view: Zoom will soon become the safest meeting tool out there. (But it’s a shame they didn’t spare themselves some grief and conducted a number of safety reviews themselves to prevent this process by fire).

Everything that’s gone wrong with Zoom lately

To keep ourselves (and you) healthy, we’ve put the latest Zoom issues at the top and separated older issues into issues that haven’t been fixed, issues that have been fixed, and issues that don’t fit into either category.

Thursday, April 8: Zoom error lets hacker hijack PCs and Macs

Two researchers demonstrated during the Pwn2Own contest that they could remotely take over Windows PCs and Macs by using at least one previously unknown vulnerability in the Zoom desktop app.

Fortunately, the only people who fully understand how this exploit works are the two researchers and Zoom himself, who are working on a solution. The chances of this attack being used “in the wild” are small, but if you are concerned, you can use the Zoom browser interface during meetings until it is fixed.

Friday, March 19: Flaw shows other Zoom users way too much

Zoom allows meeting participants to share all their computer screens, some of their screens, or only specific application windows with other people in the same meeting.

Two German researchers found that the entire screen can be equally visible even when the Zoom user shares the screen but wants to be part of the screen. All attendees who record the meeting can freeze frames during playback and view potentially sensitive information.

Zoom said it was working to fix the issue, but at the time of writing, the error was still present in the latest version of the Zoom desktop client software for at least Windows and Linux.

Tuesday, February 23: Zoom’s Keybase encrypted chat fixes a serious error

Keybase, an encrypted social media authentication system and a chat app purchased by Zoom in May 2020, had a serious error that kept images in online folders even after the user deleted them.

The error was reported to Zoom in early January 2021, and later that month, a Keybase software update was released to fix the error.

Monday, February 8: Study says trying to stop Zoom bombing often won’t work

A new study conducted by researchers from Boston University and Binghamton University found that attempts to stop “Zoom bombing,” such as asking for passwords or having visitors stewed in “waiting rooms,” often don’t work.

That’s because many attacks are carried out by “insiders” who are already authorized to attend the meetings.

“Our findings indicate that the vast majority of calls for Zoom bombing are made not by attackers who stumble upon invitations to meetings or brutally force their meeting ID, but rather by insiders who have legitimate access to these meetings, particularly high school students and colleges,” the paper says, titled, “A First Look at Zoombombing.”

The “only effective defense” against such attacks from within, the paper states, is to create “unique connection links for each participant.”

Friday, January 29: City working to ban Zoom bombing

Plagued by an epidemic of Zoom bombings at city meetings, the city of Juneau, Alaska is exploring ways to ban the practice.

“We’ve had a few at the assembly level, we’ve had a few at the school board level, we’ve had a few at a number of committee meetings,” city attorney Rob Palmer said, according to radio station KTOO’s website.

Police in Alaska’s capital have struggled to track down the Zoom bombers. By making the practice illegal, the city hopes to force Zoom to turn over information that identifies the digital inconscent.

Open/unresolved issues

More than 500,000 Zoom accounts are up for grabs

Usernames and passwords for more than 500,000 Zoom accounts are sold or given away in criminal markets.

These accounts were not compromised due to a Zoom data breach, but instead by filling in credentials. That’s when criminals try to unlock accounts by reusing credentials from accounts compromised during previous data breaches. It only works if an account holder uses the same password for more than one account.

STATUS: Unknown, but this is not Zoom’s fault.

2300 sets of Zoom credentials found online

Researchers at IngSights found that a set of 2,300 Zoom credentials were shared on a criminal online forum.

“Aside from personal accounts, there were many business accounts from banks, consulting firms, educational institutions, healthcare providers and software vendors, among others,” Etay Maor of IntSight wrote in a blog post on April 10.

“While some of the accounts contain ‘only’ an email address and password, others include IDs for meetings, names, and host keys,” Maor wrote.

Maor told Threatpost that it didn’t look like the credentials came from a Zoom data breach, given their relatively small number. He theorized that they came from “small lists and databases maintained by other companies/agencies.”

It is also possible that some login details were the result of “filling login details”. That’s the (largely) automated process by which criminals try to log into websites by browsing probable email addresses and likely passwords and then harvesting what results in a positive result.

Status unknown. This probably isn’t necessarily a Zoom issue.

Zoom in zero-day exploits

According to Vice, information security researchers are aware of several ‘zero-day’ exploits of Zoom. Zero-days are exploits for software vulnerabilities that the software maker does not know and has not fixed, and therefore has “zero days” to prepare before the exploits appear.

However, one Vice source suggested that other video conferencing solutions also had security issues. Another source said Zoom zero-days were not sold for much money due to a lack of demand.

STATUS: Unresolved until some of these deficiencies come to light.

Zoom compromised accounts traded online

Criminals trade compromised Zoom accounts on the “dark web,” Yahoo News reported.

This information apparently came from israeli cybersecurity firm Sixgill, which specializes in monitoring underground online criminal activity. We could not find any mention of the findings on the Sixgill website.

Sixgill told Yahoo it had seen 352 compromised Zoom accounts, including meeting IDs, email addresses, passwords and host keys. Some of the bills belonged to schools and one from each from a small business and a large caregiver, but most were personal.

STATUS: Not really a bug, but well worth worrying about. If you have a Zoom account, make sure that the password is not the same as the password of another account you have.

Zoom installer bundled with malware

Researchers at Trend Micro discovered a version of the Zoom installer bundled with cryptocurrency mining malware, namely a coin miner.

The Zoom installer puts Zoom version 4.4.0.0 on your Windows PC, but it comes with a coin miner that has given Trend Micro the catchy name Trojan.Win32.MOOZ.THCCABO. (By the way, the latest Zoom client software for Windows is up to version 4.6.9, and you should only download it from here.)

The coin miner will ramp up the central processor unit of your PC and graphics card, if any, to solve mathematical problems and generate new cryptocurrency units. You will notice this if your fans suddenly accelerate or if Windows Task Manager (press Ctrl + Shift + Esc) shows unexpectedly heavy CPU/GPU usage.

To avoid being hit by this malware, make sure that you are using one of the best antivirus programs and do not click on links in emails, social media posts, or pop-up messages that promise to install Zoom on your computer.

STATUS: Open, but this is not Zoom’s problem to solve. It can’t stop other people from copying and redoing the installation software.

Zoom encryption not what it claims to be

Zoom not only misleads users about its “end-to-end encryption” (see below), but it seems downright, er, not telling the truth about the quality of its encryption algorithm.

Zoom says it uses AES-256 encryption to encrypt video and audio data traveling between Zoom servers and Zoom clients (i.e. you and I). But researchers at the University of Toronto’s Citizen Lab found in an April 3 report that Zoom actually uses the slightly weaker AES-128 algorithm.

Worse, Zoom uses an internal implementation of an encryption algorithm that retains patterns from the original file. It’s like someone drew a red circle on a gray wall, and then painted a censor over the red circle with a poo circle. You don’t see the original message, but the shape is still there.

“We currently do not recommend using Zoom for use situations that require strong privacy and confidentiality,” the Citizen Lab report says, such as “governments concerned about espionage, companies concerned about cybercrime and industrial espionage, healthcare providers dealing with sensitive patient information” and “activists, lawyers and journalists working on sensitive topics.”

STATUS: Unresolved. In an April 3 blog post, Zoom CEO Eric S. Yuan acknowledged the encryption issue, but said only that “we recognize that we can do better with our encryption design” and “we expect to share more on this front in the coming days.”

In Zoom’s announcement of the upcoming April 26 update of the desktop software, Zoom said it would upgrade encryption simulation to a better format for all users by May 30.

Zoom software can be easily damaged

Good software has built-in anti-manipulation mechanisms to ensure that applications do not execute code modified by a third party.

Zoom has such anti-manipulation mechanisms in place, which is good. But those anti-manipulation mechanisms themselves are not protected from manipulation, a British computer student who calls himself “Lloyd” said in an April 3 blog post.

Needless to say, that’s bad. Lloyd showed how Zoom’s anti-sabotage mechanism can be easily disabled or even replaced with a malicious version that hijacks the application.

If you read this with a practical knowledge of how Windows software works, this is a pretty damning passage: “This DLL can be removed trivially, invalidating the anti-sabotage mechanism. The DLL is not pinned down, which means an attacker. of a third-party process can simply inject an external thread.

In other words, malware already present on a computer could use Zoom’s own anti-sabotage mechanism to tamper with Zoom. Criminals can also create fully functioning versions of Zoom that have been modified to perform malicious acts.

STATUS: Unresolved.

Zoom bombing

Anyone can “bomb” a public Zoom meeting if they know the meeting number, and then use the file-sharing photo to post shocking images or make annoying sounds in the audio. The FBI even warned about it a few days ago.

The Zoom meeting host can mute or even disable troublemakers, but they can come right back with new user IDs. The best way to avoid Zoom bombing is to share zoom meeting numbers only with the intended attendees. You can also require attendees to use a password to sign in to the meeting.

On April 3, the U.S. Attorney’s Office for the Eastern District of Michigan said that “anyone who hacks a teleconference can be charged with state or federal crimes.” It’s not clear if that only applies to Eastern Michigan.

STATUS: There are simple ways to avoid Zoom bombing, which we discuss here.

Leaks of email addresses and profile pictures

Zoom automatically places anyone sharing the same email domain in a “company folder” where they can see each other’s information.

Exceptions are made for people who use large webmail clients, such as Gmail, Yahoo, Hotmail, or Outlook.com, but apparently not for smaller webmail providers that Zoom may not know about.

Several Dutch Zoom users using email addresses provided by the ISP suddenly discovered they were in the same “company” with dozens of strangers – and were able to see their email addresses, usernames and user photos.

STATUS: Unresolved, but an April 19 Zoom software update for Zoom web interface users prevents users on the same email domain from automatically searching for each other by name. The Zoom desktop client software will get similar solutions on April 26.

Sharing personal information with advertisers

Several privacy experts, some of whom worked for Consumer Reports, studied Zoom’s privacy policy and found that it apparently gave Zoom the right to use zoom users’ personal data and share it with third-party marketers.

After a blog post from Consumer Reports, Zoom quickly rewrote its privacy policy, deleted the most disturbing passages and claimed that “we do not sell your personal information”.

Status unknown. We don’t know the details of Zoom’s business dealings with third-party advertisers.

You can use ‘war drive’ to find open Zoom meetings

You can find open Zoom meetings by quickly browsing possible Zoom meeting IDs, a security researcher told independent security blogger Brian Krebs.

The researcher got past Zoom’s meeting-scan blocker by performing searches through Tor, which randomly distributed his IP address. It is a variation on “war driving” by randomly choosing phone numbers to find open modems during dial-up days.

The researcher told Krebs that he could find about 100 open Zoom meetings with the tool every hour, and that “having a password enabled at the [Zoom] meeting is the only thing that bypasses it.”

Status unknown.

Zoom meeting chats don’t stay private

Two Twitter users pointed out that if you’re in a Zoom meeting and use a private window in the meeting’s chat app to communicate privately with another person in the meeting, that conversation will be visible in the transcript at the end of the meeting the host receives. .

Status unknown.

Fixed/resolved issues

Zoom error allowed account hijacking

A Kurdish security researcher said Zoom paid him a bugbounty – a reward for finding a serious mistake – for finding how to hijack a Zoom account if the account holder’s email address was known or guessed.

The researcher, who calls himself “s3c” but whose real name may be Yusuf Abdulla, said that if he tried to log in to Zoom with a Facebook account, Zoom would ask for the email address associated with that Facebook account. Zoom would then open a new web page to let him know that a confirmation email had been sent to that email address.

The URL of the notification web page would have a unique identifier in the address bar. As an example that is much shorter than the real thing, let’s say it is “zoom.com/signup/123456XYZ”.

When s3c received and opened Zoom’s confirmation message, he clicked the confirmation button in the body of the message. This took him to yet another web page that confirmed that his email address was now linked to a new account. So far so good.

But then s3c noticed that the unique identifier tag in the URL of the Zoom confirmation web page was identical to the first ID tag. Let’s use the “zoom.com/confirmation/123456XYZ” example.

The matching ID tags, one used before confirmation and the other after confirmation, meant that s3c could have avoided receiving the confirmation email and not clicking the confirmation button at all.

In fact, he could have entered ANY email address – yours, mine or billgates@gmail.com – in the original sign-up form. Then he could have copied the ID tag from the resulting Zoom notification page and pasteed the ID tag into a pre-existing Zoom account confirmation page.

Boom, he would have access to any Zoom account created with the targeted email address.

“Even if you’ve already linked your account to a Facebook account, unlink Zoom automatically and link it to the attacker’s Facebook account,” s3c wrote in its imperfect English.

And because Zoom shows everyone who uses a business email address all other users logged in with the same email domain, e.g. “company.com”, s3c could have used this method to steal ALL Zoom accounts from a particular company.

“So if an attacker creates an account with the email address aanvaller@bedrijfsnaam.com and verifies it with this bug,” writes s3c, “the attacker can view all emails created with *@bedrijfsnaam.com in the Zoom app in Business Contacts, so that means that the attacker can hack all of the company’s accounts.”

Zoom is lucky that s3c is one of the good guys and didn’t make this mistake public before Zoom could fix it. But it’s such a simple mistake that it’s hard to imagine anyone else noticing it before.

STATUS: Fixed, thank God.

Zoom removes meeting IDs from screens

Zoom has released updates to its Windows, macOS, and Linux desktop client software so that meeting IDs don’t appear on the screen during meetings. British Prime Minister Boris Johnson accidentally showed a Zoom meeting ID in a tweet and the Belgian cabinet made a similar mistake.

‘Potential vulnerability’ with Zoom file sharing

In a webinar “ask me something” in early April, Zoom CEO Eric S. Yuan said Zoom had “discovered a potential file sharing vulnerability, so we disabled that feature.”

Until this week, participants in a Zoom meeting could share files with each other via the chat function of the meeting.

STATUS: Fixed.

Zoom cryptographic keys issued by Chinese servers

Those AES128 encryption keys are provided to Zoom clients by Zoom servers, and that’s all well and good, except that the Citizen Lab has found several Zoom servers in China that issue keys to Zoom users, even if all meeting participants were in North America.

Since Zoom servers can decrypt Zoom meetings and Chinese authorities can force operators of Chinese servers to transfer data, this implies that the Chinese government can see your Zoom meetings.

That must be bad news for the British government, which has held at least one cabinet meeting on Zoom.

STATUS: Apparently solved. In an April 3 blog post, Zoom CEO Eric S. Yuan responded to the Citizen Lab report by saying that “it is possible that certain meetings could connect to systems in China, where they should not have connected. We’ve done that ever since. corrected this. “

Zoom Meeting Waiting Room Security Flaw

Zoom advises meeting hosts to set up “waiting rooms” to avoid “Zoom bombings.” In fact, a waiting room keeps participants on hold until a host lets them all in at once or one by one.

The Citizen Lab said it had found a serious security issue with Zoom waiting rooms and advised hosts and participants not to use it for the time being. The Citizen Lab has not yet announced the details, but has informed Zoom of the error.

“We recommend Zoom users who want confidentiality not to use Zoom Waiting Rooms,” the Citizen Lab said in its report. “Instead, we encourage users to use Zoom’s password feature.”

STATUS: Fixed. In a follow-up to their first report. the Citizen Lab researchers revealed that uninvited meeting visitors could still get the meeting’s encryption key out of the waiting room.

“On April 7, Zoom notified us that they had implemented a server-side solution to the problem,” the researchers said.

Steal Windows password

Zoom meetings have side chats where attendees can send text messages and post web links.

But according to Twitter user @ _g0dmode and Anglo-American cybersecurity training company Hacker House, Zoom did not distinguish between regular web addresses and any other kind of external network link, a Universal Naming Convention (UNC) path, until the end of March. That made Zoom chats vulnerable to attack.

If a malicious Zoom bomber let slip a UNC path to a remote server it was controlling to a Zoom meeting chat, an ignorant participant might click on it.

The participant’s Windows computer would then attempt to contact the hacker’s remote server specified in the path and automatically try to log in with the User’s Windows username and password.

The hacker can retrieve and decrypt the password “hash”, which gives him access to the Windows account of the Zoom user.

STATUS: Yuan’s blog post says Zoom has now fixed this issue.

Windows malware injection

Mohamed A. Baset of security firm Seekurity said on Twitter that the same file path error would also let a hacker insert a UNC path to an externally executable file into a Zoom chat room.

If a Zoom user with Windows clicked on it, a video posted by Baset, the user’s computer would try to load and run the software. The victim is asked to give permission to run the software, stopping some hacking attempts, but not all.

STATUS: If the UNC file path issue is resolved, it should be too.

Share iOS profile

Until the end of March, Zoom sent iOS user profiles to Facebook as part of the “sign in with Facebook” feature in the iPhone and iPad Zoom apps. After Vice News revealed the practice, Zoom said it wasn’t aware of profile sharing and updated the iOS apps to fix it.

STATUS: Fixed.

Malware-like behavior on Macs

We learned last summer that Zoom used hacker-like methods to bypass normal macOS security measures. We thought that issue was solved then, along with the security flaw it caused.

But a series of tweets on March 30 from security researcher Felix Seele, who noticed Zoom installing himself on his Mac without the usual user authorizations, revealed there was still a problem.

Have you ever wondered how the @zoom_us macOS installer is doing without ever clicking install? Turns out they use (ab) pre-installation scripts, extract the app manually using a bundled 7zip and install it in /Applications if the current user is in the admin group (no root needed).

“They (ab) use pre-installation scripts, extract the app manually using a bundled 7zip and install it in/Applications if the current user is in the admin group (no root needed),” Seele wrote.

“The application is installed without the user giving his final consent and a very misleading prompt is used to obtain root rights. The same tricks used by macOS malware.” (Seele has developed a more user-friendly blog post here.)

Zoom founder and CEO Eric S. Yuan tweeted a friendly response.

“Joining a meeting from a Mac is not easy, which is why this method is used by Zoom and others,” Yuan wrote. “Your point is well understood and we will continue to improve.”

UPDATE: In a new April 2 tweet, Seele said Zoom had released a new version of the Zoom client for macOS that “completely removes the questionable ‘pre-installation’ technique and the fake password prompt.”

“I have to say I’m impressed. That was a quick and comprehensive response. Well done, @zoom_us!” Seele added.

Zoom has just released an update to the macOS installer that completely removes the questionable “pre-installation” technique and fake password prompt. I have to say, I’m impressed. That was a quick and comprehensive response. Well done, @zoom_us!

STATUS: Fixed.

A backdoor for Mac malware

Other people could use Zoom’s dodgy Mac installation methods, well-known Mac hacker Patrick Wardle said in a blog post on March 30.

Wardle demonstrated how a local attacker – such as a malicious person or already installed malware – could use the previously magical powers of unauthorized installation of Zoom to “increase privileges” and gain full control of the machine without knowing the administrator password.

Wardle also showed that a malicious script installed in the Zoom Mac client can give every piece of malware Zoom’s webcam and microphone rights, which the user does not ask for authorization, and that can turn any Mac on which Zoom is installed into a potential spy device.

“This gives malware the ability to record all Zoom meetings, or simply spawn Zoom in the background to access the microphone and webcam at random times,” Wardle wrote.

STATUS: Yuan’s blog post states that Zoom has addressed these shortcomings.

Other problems

Zoom promises to fix flaws

In an April 1 blog post, Zoom CEO and founder Eric S. Yuan acknowledged Zoom’s growing pains and promised that the regular development of the Zoom platform would be delayed while the company worked to resolve security and privacy issues.

“We recognize that we have not met the privacy and security expectations of the community (and our own),” Yuan wrote, explaining that Zoom was developed for large companies with internal IT staff who could set up and run the software. .

“We now have a much broader group of users using our product in countless unexpected ways, presenting us with challenges we didn’t expect when the platform was designed,” he said. “These new, mainly consumer use situations have helped us to uncover unforeseen problems with our platform. Dedicated journalists and security researchers have also helped identify pre-existing problems.”

To deal with these issues, Yuan wrote, Zoom would “perform a feature freeze, effectively immediately, and shift all of our technical resources to focus on our biggest trust, security, and privacy issues.”

Among other things, Zoom would also “conduct a comprehensive review with external experts and representative users to understand and ensure the safety of all our new consumer use scenarios”.

Zoom now requires default passwords for most Zoom meetings, although meeting hosts can disable that feature. Passwords are the easiest way to stop Zoom bombing.

And on April 8, Alex Stamos, former Chief Security Officer of Facebook and Yahoo, said he would work with Zoom to improve security and privacy. Stamos is now an adjunct professor at Stanford and highly regarded within the information security community.

Fake end-to-end encryption

Zoom claims its meetings use “end-to-end encryption” when each participant dials in from a computer or a Zoom mobile app rather than over the phone. But under pressure from The Intercept, a representative for Zoom admitted that Zoom’s definitions of “end-to-end” and “endpoint” are not the same as everyone else’s.

“When we use the phrase ‘End to End’,” a Zoom spokesperson told The Intercept, “that refers to the connection encrypted from Zoom endpoint to Zoom endpoint.”

Sounds good, but the spokesman clarified that he counted a Zoom server as an endpoint.

Any other company considers an endpoint to be a user device – a desktop, laptop, smartphone or tablet – but not a server. And every other company uses “end-to-end encryption” to mean that servers that send messages from one endpoint to another cannot decrypt the messages.

When you send an Apple message from your iPhone to another iPhone user, Apple’s servers help the message get from one place to another, but they can’t read the content.

Not so with Zoom. It can see what’s going on in its meetings, and sometimes it has to be to make sure everything works properly. Just don’t believe the implication that it can’t.

UPDATE: In an April 1 blog post, Oded Gal, Zoom’s Chief Product Officer, wrote that “we would like to begin by apologizing for the confusion we have caused by falsely suggesting that Zoom meetings were capable of using end-to-end encryption.”

“We recognize that there is a discrepancy between the generally accepted definition of end-to-end encryption and how we used it,” he wrote.

Gal assured users that all data transmitted and received by Zoom client applications (but not regular phone lines, business conference systems or, presumably, browser interfaces) are indeed encrypted and that Zoom servers or employees “do not decrypt it at any time before decrypting the receiving customers. “

However, Gal added, “Zoom currently maintains the key management system for these systems in the cloud” but has “implemented robust and validated internal controls to prevent unauthorized access to content users share during meetings.”

The implication is that Zoom does not decode users’ transmissions of their choice. But because it contains the encryption keys, Zoom could if it had to, for example, if it were to get an order or a U.S. National Security Letter (essentially a secret warrant).

For those concerned about the government snooping, Gal wrote that “Zoom has never built a mechanism to decode live meetings for legal intercept purposes, nor do we have resources to insert our employees or others into meetings without being reflected in the participant list.”

He added that companies and other companies could soon be able to handle their own coding process.

“Later this year, a solution will be available that will allow organizations to use the Zoom cloud infrastructure, but host the key management system within their environment.”

STATUS: This is a matter of misleading advertising rather than a real software error. We hope Zoom stops using the term “end-to-end encryption” incorrectly, but keep in mind that you won’t get the real thing with Zoom until it fully implements the technology it buys with Keybase.

Recordings of Zoom meetings can be found online

Privacy researcher Patrick Jackson noted that recordings of Zoom meetings stored on the host’s computer generally get a certain type of file name.

So he searched unprotected cloud servers to see if anyone had uploaded Zoom recordings and found more than 15,000 unprotected examples, according to The Washington Post. Jackson also found some recorded Zoom meetings on YouTube and Vimeo.

This isn’t really Zoom’s fault. It’s up to the host to decide if they want to record a meeting, and Zoom gives paying customers the option to save recordings to Zoom’s own servers. It is also up to the host to decide to change the file name of the recording.

If you’re organizing a Zoom meeting and decide to include it, make sure you change the default file name after you’re done.

STATUS: This isn’t really Zoom’s problem, to be honest.

Source: tomsguide

zoom security
Published on
Apr 27, 2021
Categories

Certified Office 365 experts

De oplossingen van Microsoft zijn al decennia lang toonaangevend als het gaat om productiviteit, presentatie en e-mail. Voor Office 365 zijn deze bekende producten doorontwikkeld om uw organisatie sneller en efficiënter te laten werken. 

Microsoft biedt u naast de oplossingen uit de Microsoft 365 suite de cloudversies van Microsoft Exchange Online, Microsoft SharePoint Online en Microsoft Teams. Deze diensten werken naadloos samen en zorgen voor maximaal gebruiksgemak op zowel pc’s, tablets, smartphones en browsers.

We leveren de nodige expertise om over deze diensten te kunnen beschikken en daarnaast de bedrijfsprocessen door middel van software te optimaliseren.