Zoom security vulnerabilities: here’s everything that’s gone wrong (so far)

Dozens of security and privacy issues have been found in Zoom. Here is an updated list.

Do you use Zoom? Anyone who has had to work from home or do schoolwork during the ongoing coronavirus pandemic has used the video conferencing platform for meetings, classes and even social gatherings.

There are good reasons why Zoom has taken off and other platforms haven’t done so well. Zoom is easy to set up, easy to use, allows up to 100 people to join a meeting for free, and now even generates live captions. It just works.

But Zoom’s ease of use has made it easy for troublemakers to “bomb” open Zoom meetings. Information security professionals say Zoom’s security has had many holes, although most have been fixed in recent years.

After the lockdown kicked in, Zoom added two-factor authentication as a security option, giving users a powerful weapon to protect their accounts from takeover.

It also looked at Zoom’s privacy policy, which appeared to give Zoom the right to do whatever it wanted with users’ personal data in early 2020, and its encryption policy, which was quite misleading.

That caused a backlash against Zoom early in the pandemic. In April 2020, New York City public schools passed to ban Zoom meetings, and other school systems did the same, although New York lifted the Zoom ban a month later.

With all these issues, people have been looking for alternatives to Zoom, so check out our Skype vs Zoom face-off to see how an old video app has adapted for video conferencing. We also compared Zoom vs Google Hangouts.

Zoom is still safe to use in most cases

Is Zoom unsafe to use? No. Unless you’re discussing state or company secrets or disclosing personal health information to a patient, Zoom should be fine.

For school classes, after-work gatherings, or even workplace meetings that stick to routine business, there isn’t much risk in using Zoom. Kids will probably keep coming to it as they can even use Snapchat filters on Zoom.

Zoom security tips

Join Zoom meetings through your web browser instead of through the Zoom desktop software. The web browser version gets security improvements faster.

“The web version is sandboxed in the browser and doesn’t have the permissions that an installed app has, limiting the amount of damage it could potentially cause,” notes information security firm Kaspersky.

When you click on a link to join a meeting, your browser opens a new tab and prompts you to use or install the Zoom desktop software. But in the fine print there is a link to join from your browser. Click on that.

If you’re hosting a Zoom meeting, asks the meeting participants to log in with a password. That makes Zoom bombings much less likely.

Set up two-factor authentication for your Zoom account.

Zoom creates a huge “attack surface” and hackers will take it in every possible way. They have already registered many Zoom related fake domains and are developing Zoom themed malware.

The upside is that if many flaws in Zoom are found and fixed right away, Zoom will be better and safer for it.

“Zoom will soon become the most secure meeting tool out there,” tech journalist Kim Zetter wrote on Twitter in April 2020. “But too bad they didn’t spare themselves some heartache and did some safety assessments themselves to avoid this lawsuit by fire.”

Opposite view: Zoom will soon be the most secure meeting tool out there. (But too bad they didn’t spare themselves some heartache and did some safety assessments themselves to avoid this process by fire).

Everything that’s gone wrong with Zoom lately

To keep ourselves (and you) sane, we’ve placed the most recent Zoom issues at the top and separated older issues into issues that haven’t been resolved, issues that have been resolved, and issues that don’t fit into either category.

Thursday, April 8: Zoom Error Lets Hacker Hijack PCs and Macs

Two researchers showed at the Pwn2Own competition that they could remotely take over Windows PCs and Macs by exploiting at least one previously unknown vulnerability in the Zoom desktop app.

Fortunately, the only people who fully understand how this exploit works are the two researchers and Zoom itself, which is working on a fix. The chances of this attack being used “in the wild” are slim, but if you’re concerned, you can use the Zoom browser interface during meetings until this is fixed.

Friday March 19: Flaw shows other Zoom users way too much

Zoom allows meeting participants to share all of their computer screens, some of their screens, or just specific application windows with other people in the same meeting.

Two German researchers found that the entire screen can be briefly visible even when the Zoom user is sharing the screen, but wants to be part of the screen. All participants recording the meeting can freeze frames during playback and view potentially sensitive information.

Zoom said it worked to fix the issue, but at the time of writing, the bug was still present in the latest version of Zoom desktop client software for at least Windows and Linux.

Tuesday, February 23: Zoom’s Keybase Encrypted Chat Fixes a Serious Error

Keybase, an encrypted social media authentication system and chat app purchased by Zoom in May 2020, had a serious flaw that kept images in online folders even after the user deleted them.

The bug was reported to Zoom in early January 2021, and a Keybase software update was released later that month to fix the bug.

Monday, February 8: Research Says Trying To Stop Zoom Bombing Often Won’t Work

A new study conducted by researchers at Boston University and Binghamton University found that attempts to stop “Zoom bombing,” such as asking for passwords or having visitors stew in “waiting rooms,” often fail.

That’s because many attacks are carried out by “insiders” who are already authorized to attend the meetings.

“Our findings indicate that the vast majority of calls for Zoom bombing are not made by attackers stumbling upon meeting invites or brute-forcing their meeting ID, but rather by insiders who have legitimate access to these meetings, particularly high school and college students,” the paper says, titled “A First Look at Zoombombing.”

The “only effective defense” against such attacks from within, the paper states, is to create “unique connecting links for each participant”.

Friday, January 29: City working to ban Zoom bombing

Plagued by an epidemic of Zoom bombing during city assemblies, the city of Juneau, Alaska is exploring ways to outlaw the practice.

“We’ve had a few at the assembly level, we’ve had a few at the school board level, we’ve had a few at some committee meetings,” city attorney Rob Palmer said, according to radio station KTOO’s website. .

Police in Alaska’s capital have had a hard time tracking down the Zoom bombers. By making the practice illegal, the city hopes to force Zoom to hand over information that identifies the digital miscreants.

Open / unresolved issues

More than 500,000 Zoom accounts are up for grabs

Usernames and passwords for more than 500,000 Zoom accounts are sold or given away in criminal markets.

These accounts were not compromised as a result of a Zoom data breach, but instead due to credentials padding. That’s when criminals try to unlock accounts by reusing credentials from accounts compromised during previous data breaches. It only works if an account holder uses the same password for more than one account.

STATUS: Unknown, but this is not Zoom’s fault.

2300 sets of Zoom credentials found online

IngSights investigators discovered that a set of 2,300 Zoom credentials was shared on a criminal online forum.

“Aside from personal accounts, there were many business accounts from banks, consultancies, educational institutions, healthcare providers and software vendors, among others,” IntSight’s Etay Maor wrote in a blog post on April 10.

“While some of the accounts contain ‘just’ an email address and password, others contain meeting IDs, names and host keys,” Maor wrote.

Maor told Threatpost that it didn’t seem like the credentials came from a Zoom data breach, given their relatively small number. He theorized that they came from “small lists and databases maintained by other companies/agencies”.

It is also possible that some credentials were the result of “credential stuffing”. That’s the (largely) automated process by which criminals try to log into websites by browsing probable email addresses and probable passwords and then harvest what yields a positive result.

Status unknown. This is probably not necessarily a Zoom issue.

Zoom in zero-day exploits

According to Vice, information security researchers are aware of several Zoom zero-day exploits. Zero-days are exploits for software vulnerabilities that the software maker is not aware of and has not fixed, and therefore has “zero days” to prepare before the exploits appear.

However, one Vice source suggested that other video conferencing solutions also had security vulnerabilities. Another source said that Zoom zero-days were not selling for a lot of money due to a lack of demand.

STATUS: Unsolved until some of these shortcomings come to light.

Zoom Compromised Accounts Traded Online

Criminals are trading compromised Zoom accounts on the “dark web,” reported Yahoo News.

This information apparently came from Israeli cybersecurity firm Sixgill, which specializes in monitoring underground online criminal activity. We could not find any mention of the findings on the Sixgill website.

Sixgill told Yahoo it had seen 352 compromised Zoom accounts, including meeting IDs, email addresses, passwords and host keys. Some of the bills were from schools and one from each from a small business and a major health care provider, but most were personal.

STATUS: Not really a bug, but definitely worth worrying about. If you have a Zoom account, make sure the password isn’t the same as the password for any other account you have.

Zoom installer bundled with malware

Trend Micro researchers discovered a version of the Zoom installer bundled with cryptocurrency mining malware, namely a coin miner.

The Zoom installer puts Zoom version 4.4.0.0 on your Windows PC, but it comes with a coin miner that Trend Micro has named Trojan.Win32.MOOZ.THCCABO. (By the way, the latest Zoom client software for Windows is up to version 4.6.9, and you should only download it from here.)

The coin miner will ramp up your PC’s central processor unit and graphics card, if it has one, to solve math problems and generate new cryptocurrency units. You will notice this if your fans suddenly speed up or if Windows Task Manager (press Ctrl + Shift + Esc) shows unexpected heavy CPU/GPU usage.

To avoid getting hit by this malware, make sure you use one of the best antivirus programs and don’t click on links in emails, social media posts, or pop-up messages that promise to install Zoom on your computer.

STATUS: Open, but this isn’t Zoom’s problem to solve. It cannot stop other people from copying and redistributing the installation software.

Zoom encryption not what it claims to be

Not only does Zoom mislead users about its “end-to-end encryption” (see below), but it seems downright, er, not telling the truth about the quality of its encryption algorithm.

Zoom says it uses AES-256 encryption to encrypt video and audio data traveling between Zoom servers and Zoom clients (ie you and me). But researchers at the University of Toronto’s Citizen Lab found in an April 3 report that Zoom actually uses the somewhat weaker AES-128 algorithm.

Even worse, Zoom uses an internal implementation of an encryption algorithm that preserves patterns from the original file. It’s like someone drew a red circle on a gray wall, then painted a censor over the red circle with a poo circle. You don’t see the original message, but the form is still there.

“We currently discourage the use of Zoom for use cases that require strong privacy and confidentiality,” the Citizen Lab report says, such as “governments concerned about espionage, companies concerned about cybercrime and industrial espionage, healthcare providers handling sensitive patient information” and “activists, lawyers and journalists working on sensitive topics”.

STATUS: unresolved. In an April 3 blog post, Zoom CEO Eric S. Yuan acknowledged the coding issue, but said only that “we recognize that we can do better with our coding design” and “we expect to share more on this front in the coming days.”

In Zoom’s announcement of its upcoming April 26 update to its desktop software, Zoom said it would upgrade its encryption implementation to a better format for all users by May 30.

Zoom software can be easily damaged

Good software has built-in anti-tampering mechanisms to ensure that applications do not run code that has been modified by a third party.

Zoom has such anti-tampering mechanisms in place, which is good. But those anti-tampering mechanisms themselves are not protected from manipulation, a British computer student calling himself “Lloyd” said in an April 3 blog post.

Needless to say that’s bad. Lloyd showed how Zoom’s anti-tamper mechanism can be easily disabled or even replaced with a malicious version that hijacks the application.

If you’re reading this with a working knowledge of how Windows software works, this is a pretty damning passage: “This DLL can be trivially removed, invalidating the anti-tamper mechanism. The DLL is not pinned, which means an attacker. from a third party process can just inject an external thread.

In other words, malware already present on a computer could use Zoom’s own anti-tamper mechanism to tamper with Zoom. Criminals can also create fully working versions of Zoom that are modified to perform malicious acts.

STATUS: unresolved.

Zoom bombing

Anyone can “bomb” a Zoom public meeting if they know the meeting number, then use the file sharing photo to post shocking images or make annoying noises in the audio. The FBI even warned about it a few days ago.

The Zoom meeting host can mute or even disable troublemakers, but they can come right back with new user IDs. The best way to prevent Zoom bombing is to share Zoom meeting numbers only with the intended participants. You can also require participants to use a password to log in to the meeting.

On April 3, the US Attorney’s Office for the Eastern District of Michigan said that “anyone who hacks into a teleconference can be charged with state or federal crimes.” It’s not clear if that only applies to eastern Michigan.

STATUS: There are easy ways to avoid Zoom bombing, which we discuss here.

Leaks of email addresses and profile pictures

Zoom automatically places everyone who shares the same email domain in a “company directory” where they can see each other’s information.

Exceptions are made for people who use large webmail clients, such as Gmail, Yahoo, Hotmail or Outlook.com, but apparently not for smaller webmail providers that Zoom may not know about.

Several Dutch Zoom users using ISP-provided email addresses suddenly found themselves in the same “company” with dozens of strangers – and could see their email addresses, usernames, and user photos.

STATUS: Unsolved, but an April 19 Zoom software update for Zoom web interface users will no longer allow users on the same email domain to automatically search for each other by name. The Zoom desktop client software will receive similar fixes on April 26.

Sharing personal data with advertisers

Several privacy experts, some of whom worked for Consumer Reports, studied Zoom’s privacy policy and found that it apparently gave Zoom the right to use and share Zoom users’ personal data with third-party marketers.

After a Consumer Reports blog post, Zoom quickly rewrote its privacy policy, deleting the most disturbing passages and claiming that “we don’t sell your personal information.”

Status unknown. We don’t know the details of Zoom’s business dealings with third-party advertisers.

You can use war drive to find open Zoom meetings

You can find open Zoom meetings by quickly browsing possible Zoom meeting IDs, a security researcher told independent security blogger Brian Krebs.

The researcher got past Zoom’s meeting-scan blocker by running searches through Tor, which randomized its IP address. It’s a variation of “riding confused” by randomly picking phone numbers to find open modems during the dial-up days.

The researcher told Krebs that he could find about 100 open Zoom meetings every hour with the tool, and that “having a password enabled on the[Zoom] meeting is the only thing that bypasses it.”

Status unknown.

Zoom meeting chats don’t stay private

Two Twitter users pointed out that if you’re in a Zoom meeting and using a private window in the meeting chat app to communicate privately with another person in the meeting, that conversation will be visible in the transcript at the end of the meeting that the host receives. .

Status unknown.

Resolved / Resolved Issues

Zoom error made account hijack possible

A Kurdish security researcher said Zoom paid him a bug bounty — a reward for finding a serious flaw — for finding out how to hijack a Zoom account if the account holder’s email address was known or guessed.

The researcher, who calls himself “s3c” but whose real name may be Yusuf Abdulla, said that if he tried to log into Zoom with a Facebook account, Zoom would ask for the email address associated with that Facebook account. linked. Next, Zoom would open a new web page to let it know that a confirmation email had been sent to that email address.

The URL of the notification web page would have a unique identifier tag in the address bar. As an example much shorter than the real thing, let’s say it’s “zoom.com/signup/123456XYZ”.

When s3c received the confirmation message from Zoom and opened it, it clicked the confirmation button in the body of the message. This took him to yet another web page that confirmed that his email address was now associated with a new account. So far so good.

But then s3c noticed that the unique identifier in the URL of the Zoom confirmation web page was identical to the first ID tag. Let’s use the example “zoom.com/confirmation/123456XYZ”.

The matching ID tags, one used before confirmation and the other after confirmation, meant that s3c could have avoided receiving the confirmation email and not clicking the confirmation button at all.

In fact, he could have entered ANY email address – yours, mine or billgates@gmail.com – in the original signup form. Then he could have copied the ID tag from the resulting Zoom notification page and pasted the ID tag into a pre-existing Zoom account confirmation page.

Boom, he would have access to any Zoom account created with the intended email address.

“Even if you’ve already linked your account to a Facebook account, Zoom will automatically unlink it and link it to the attacker’s Facebook account,” s3c wrote in his imperfect English.

And because Zoom shows everyone who uses a business email address all other users who are signed in with the same email domain, e.g. “company.com”, s3c could have used this method to steal ALL of a particular company’s Zoom accounts.

“So if an attacker creates an account with the email address attacker@companyname.com and verifies it with this bug,” writes s3c, “the attacker can view all emails created with *@companyname.com in the Zoom app in Company Contacts, so that means the attacker can hack into all of the company’s accounts.”

Zoom is lucky that s3c is one of the good ones and didn’t make this error public before Zoom was able to fix it. But it’s such a simple mistake that it’s hard to imagine that no one else noticed it before.

STATUS: Solved, thank goodness.

Zoom removes meeting IDs from screens

Zoom has released updates to its Windows, macOS, and Linux desktop client software so that meeting IDs don’t appear on the screen during meetings. British Prime Minister Boris Johnson accidentally showed a Zoom meeting ID in a tweet and the Belgian cabinet made a similar mistake.

‘Potential Vulnerability’ with Zoom File Sharing

In a “ask me” webinar in early April, Zoom CEO Eric S. Yuan said that Zoom “discovered a potential file sharing vulnerability, so we disabled that feature.”

Until this week, participants in a Zoom meeting could share files with each other via the chat function of the meeting.

STATUS: resolved.

Zoom cryptographic keys issued by Chinese servers

Those AES128 encryption keys are provided by Zoom servers to Zoom clients, and that’s all well and good, except the Citizen Lab has found several Zoom servers in China that issue keys to Zoom users, even if all participants in a meeting in North America.

Since Zoom servers can decrypt Zoom meetings and Chinese authorities can force Chinese server operators to transfer data, this implies that the Chinese government can see your Zoom meetings.

That must be bad news for the British government, which has held at least one cabinet meeting on Zoom.

STATUS: Apparently resolved. In an April 3 blog post, Zoom CEO Eric S. Yuan responded to the Citizen Lab report by saying that “it is possible that certain meetings were allowed to connect to systems in China where they should not have been allowed to connect. did that. corrected this.”

Security flaw with waiting rooms for Zoom meetings

Zoom advises meeting hosts to set up “waiting rooms” to avoid “Zoom bombing”. A waiting room basically keeps participants on hold until a host lets them in all at once or one at a time.

The Citizen Lab said it found a serious security issue with Zoom waiting rooms and advised hosts and participants not to use them for the time being. The Citizen Lab is not releasing the details yet, but has informed Zoom of the error.

“We recommend that Zoom users who wish confidentiality not to use Zoom Waiting Rooms,” the Citizen Lab said in its report. “Instead, we encourage users to use Zoom’s password feature.”

STATUS: resolved. In a follow-up to their first report. the Citizen Lab researchers revealed that uninvited meeting attendees could still get the meeting encryption key from the waiting room.

“On April 7, Zoom notified us that they had implemented a server-side fix for the issue,” the researchers said.

steal Windows password

Zoom meetings have side chats where participants can send text messages and post web links.

But according to Twitter user @_g0dmode and Anglo-American cybersecurity training company Hacker House, Zoom didn’t differentiate between regular web addresses and another kind of external network link called a Universal Naming Convention (UNC) path until late March. That made Zoom chats vulnerable to attacks.

If a malicious Zoom bomber slipped a UNC path to a remote server he controlled into a Zoom meeting chat, an unwitting participant could click on it.

The participant’s Windows computer would then attempt to contact the hacker’s remote server specified in the path and automatically attempt to log in with the user’s Windows username and password.

The hacker can find out and decrypt the password “hash”, which gives him access to the Zoom user’s Windows account.

STATUS: Yuan’s blog post states that Zoom has now fixed this issue.

Windows Malware Injection

Mohamed A. Baset of security firm Seekurity said on Twitter that the same file path error would also allow a hacker to insert a UNC path to a remote executable file in a Zoom chat room.

If a Zoom user with Windows clicked on a video posted by Baset, the user’s computer would attempt to load and run the software. The victim is asked to give permission to run the software, which stops some hacking attempts, but not all.

STATUS: If the UNC file path issue is resolved, it should be.

share iOS profile

Until the end of March, Zoom sent iOS user profiles to Facebook as part of the “Facebook login” feature in the iPhone and iPad Zoom apps. After Vice News revealed the practice, Zoom said it was unaware of profile sharing and updated its iOS apps to fix it.

STATUS: resolved.

Malware-like behavior on Macs

We learned last summer that Zoom was using hacker-like methods to circumvent normal macOS security measures. We thought that problem was then solved, along with the security flaw it caused.

But a series of tweets on March 30 from security researcher Felix Seele, who noticed that Zoom was installing itself on his Mac without the usual user authorizations, revealed that there was still a problem.

Ever wondered how the @zoom_us macOS installer does without ever clicking install? Turns out they (ab) use pre-install scripts, manually extract the app using a bundled 7zip and install it in /Applications if the current user is in the admin group (no root needed).

“They (ab) use pre-install scripts, manually extract the app using a bundled 7zip and install it in /Applications if the current user is in the admin group (no root needed),” Seele wrote.

“The application is installed without the user’s final consent and a very misleading prompt is used to gain root privileges. Same tricks used by macOS malware.” (Seele has worked out a more user-friendly blog post here.)

Zoom founder and CEO Eric S. Yuan tweeted a friendly response.

“Joining a meeting from a Mac isn’t easy, which is why Zoom and others use this method,” Yuan wrote. “Your point is well understood and we will continue to improve.”

UPDATE: In a new tweet dated April 2, Seele said Zoom had released a new version of the Zoom client for macOS that “completely removes the questionable ‘pre-install’ technique and fake password prompt.”

“I have to say I’m impressed. That was a quick and comprehensive response. Well done, @zoom_us!” Seele added.

Zoom just released an update to the macOS installer that completely removes the questionable “pre-install” technique and the fake password prompt. I must say I am impressed. That was a quick and comprehensive response. Well done @zoom_us!

STATUS: resolved.

A backdoor for Mac malware

Other people could use Zoom’s dodgy Mac installation methods, noted Mac hacker Patrick Wardle said in a blog post on March 30.

Wardle demonstrated how a local attacker – such as a malicious human or malware already installed – could use the previously magical powers of unauthorized installation of Zoom to “increase privileges” and take full control of the machine without knowing the administrator password.

Wardle also showed that a malicious script installed in the Zoom Mac client can give any piece of malware Zoom’s webcam and microphone permissions, which don’t ask the user for authorization, and could potentially turn any Mac with Zoom installed into a spy device can change.

“This gives malware the ability to record all Zoom meetings, or simply spawn Zoom in the background to access the microphone and webcam at random times,” Wardle wrote.

STATUS: Yuan’s blog post states that Zoom has fixed these shortcomings.

Other problems

Zoom promises to fix flaws

In a blog post on April 1, Zoom CEO and founder Eric S. Yuan acknowledged Zoom’s growing pains and promised that regular development of the Zoom platform would be delayed while the company worked to fix security and privacy issues.

“We recognize that we have failed to meet the privacy and security expectations of the community (and our own),” Yuan wrote, explaining that Zoom was developed for large companies with in-house IT staff who could set up and run the software. .

“We now have a much broader base of users using our product in countless unexpected ways, which presents us with challenges that we did not expect when the platform was designed,” he said. “These new, mostly consumer use cases have helped us identify unforeseen issues with our platform. Dedicated journalists and security researchers have also helped identify pre-existing issues.”

To deal with these issues, Yuan wrote, Zoom would “perform a feature freeze, effective immediately, and shift all our technical resources to focus on our biggest trust, security, and privacy concerns.”

Among other things, Zoom would also “conduct a comprehensive assessment with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.”

Zoom now requires passwords by default for most Zoom meetings, although meeting hosts can disable that feature. Passwords are the easiest way to stop Zoom bombing.

And on April 8, Alex Stamos, former chief security officer of Facebook and Yahoo, said he would work with Zoom to improve security and privacy. Stamos is now an adjunct professor at Stanford and is highly regarded within the information security community.

False end-to-end encryption

Zoom claims its meetings use “end-to-end encryption” if each attendee dials in from a computer or a Zoom mobile app rather than over the phone. But under pressure from The Intercept, a Zoom representative admitted that Zoom’s definitions of “end-to-end” and “endpoint” aren’t the same as everyone else’s.

“When we use the phrase ‘End to End’,” a Zoom spokesperson told The Intercept, “it refers to the connection being encrypted from Zoom endpoint to Zoom endpoint.”

Sounds good, but the spokesperson clarified that he counted a Zoom server as an endpoint.

Every other company thinks of an endpoint as a user device – a desktop, laptop, smartphone or tablet – but not as a server. And every other company uses “end-to-end encryption” to mean that servers that send messages from one endpoint to another cannot decrypt the messages.

When you send an Apple message from your iPhone to another iPhone user, Apple’s servers help the message get from one place to another, but they can’t read the content.

Not so with Zoom. It can see what’s going on in its meetings, and sometimes it needs to make sure everything is working as it should. Just don’t believe the implication that it can’t be done.

UPDATE: In an April 1 blog post, Zoom’s Chief Product Officer Oded Gal wrote that “We would like to begin by apologies for the confusion we have caused by falsely suggesting that Zoom meetings were able to end- to-end encryption.”

“We recognize that there is a discrepancy between the generally accepted definition of end-to-end encryption and how we used it,” he wrote.

Gal assured users that all data sent and received by Zoom client applications (but not ordinary phone lines, business conferencing systems or, presumably, browser interfaces) is indeed encrypted and that Zoom servers or employees “do not decrypt it at any time before using the receiving customers. “

However, Gal added, “Zoom currently maintains the key management system for these systems in the cloud” but has “implemented robust and validated internal controls to prevent unauthorized access to content users share during meetings.”

The implication is that Zoom does not decrypt users’ transmissions by choice. But because it contains the encryption keys, Zoom could if it had to, say, if it were given a warrant or a US National Security Letter (essentially a secret warrant).

For those concerned about government snooping, Gal wrote that “Zoom has never built a mechanism to decode live meetings for lawful interception purposes, nor do we have resources to insert our employees or others into meetings without being reflected.” in the participant list.”

He added that companies and other enterprises could soon handle their own encryption process.

“Later this year, a solution will be available that will allow organizations to use the Zoom cloud infrastructure but host the key management system within their environment.”

STATUS: This is a matter of misleading advertising rather than a genuine software bug. We hope Zoom stops misusing the term “end-to-end encryption”, but keep in mind that you won’t get the real deal with Zoom until it fully implements the technology it buys with Keybase.

Recordings of Zoom meetings can be found online

Privacy researcher Patrick Jackson noted that Zoom meeting recordings stored on the host’s computer are generally given a certain type of filename.

So he searched unprotected cloud servers to see if anyone had uploaded Zoom recordings and found more than 15,000 unprotected samples, according to The Washington Post. Jackson also found some recorded Zoom meetings on YouTube and Vimeo.

This isn’t really Zoom’s fault. It’s up to the host to decide whether to record a meeting, and Zoom gives paying customers the option to store recordings on Zoom’s own servers. It is also up to the host to decide whether to change the file name of the recording.

If you’re hosting a Zoom meeting and decide to record it, make sure to change the default file name after you’re done.

STATUS: This isn’t really Zoom’s problem, to be honest.

Source: tomsguide