In a blog post, Zoom CEO Eric S. Yuan said the company will dedicate all of its engineering resources to fixing its “biggest trust, safety, and privacy issues.” The work will include a “comprehensive review” with third-party experts to “understand and ensure the security of all of our new consumer use cases.”
In other big moves, Yuan sasy the investigation will be backed up by a transparency report that lists requests for data, an enhanced bug bounty program, and a series of white box penetration tests — an approach that gives the tester full knowledge of the company’s infrastructure and application source code. In addition, Zoom has vowed to launch a CISO (chief information security officer) council with representatives fro across the industry to “facilitate an ongoing dialogue regarding security and privacy best practices.”
To win back user trust, Yuan said today that Zoom will be initiating a “feature freeze” and will not ship any new feature until it is done fixing the current feature set, until all of its security issues are addressed.
“We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies,” the blog post reads. “These are the questions that will make Zoom better, both as a company and for all its users. We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can.
This understatement comes on the back of almost unimaginable growth. Yuan says the number of free and paid users on Zoom daily rose from 10 million in December to 200 million in March–by far the biggest uptake among options that include Skype, Teams, and Google Hangouts. It’s supported everything from WFH to online yoga and has been a business lifeline for industries including music and fitness.
But:
As The Intercept reports, Zoom calls can’t be secured with end-to-end (E2E) encryption — even though the company’s website clearly states they can.
In a blog post, Patrick Wardle, principal security officer at Jamf and a former NSA hacker, revealed two Mac vulnerabilities yesterday that relied on the attacker having physical access to the user’s machine. In today’s blog post, Wang said Zoom fixed both issues within 24 hours.
Zoombombing has also affected houses of worship as reported in Religion News Service. These disturbing disruptions reportedly affected both internal meetings and streamed worship services.
Zoombombing comes for Houses of Worship
As reported in The Verge, according to Feelix Seele, technical lead at malware tracker VMRay, Zoom’s Mac installer uses pre-installation scripts and then–undetected by the user–displays a faked system message to confirm what has already happened behind the scenes. “This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste,” he tweeted on March 30th. “The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges.”
As reported in Vice, the company also had to update its iOS app last week to remove code that reportedly sent data to Facebook, including the user’s time zone and city, basic details about their device, and when they opened the app.
As Vice reports, Zoom is having problems with its Company Directory, too and the way it groups contacts to co-mingle professional and personal contact.
As reported in Consumer Reports, the company also changed its privacy policy after users realized their personal information could be used for targeted ads.
Finally, you’ve heard of “Zoombombing.” It’s one of the many inevitable pranks of quarantine but reveals a much more serious problem. Bomber guess a Zoom conference ID number (not hard to do if you’ve used Zoom at all) and then, through screen sharing, mobs the meeting. Zoom has addressed this problem for educational users by restricting screen sharing to the host by default.–too late to prevent it from happening to schools on remote learning programs. For the average consumer, however, the option still has to be enabled manually..
This is only the latest rash of scary problems for Zoom’s security underpinnings..
If you recall, last year, Apple removed a hidden Zoom web server that made it easier for Safari users on Mac to join a meeting. Security researcher Jonathan Leitschuh had written on Mediium, that he found a vulnerability earlier in the week that meant any site could theoretically start a Zoom conference call that automatically turned your webcam on. Zoom eventually removed the web server, but Apple was so worried that it issued a silent update to all Mac users, just to be on the safe side.
