I keep reading news stories about how terrible Zoom is from a security and privacy standpoint. I host a weekly video call, and I’d like to use Zoom since everyone loves it, but should I be concerned about the issues recently uncovered, at least for my own use of Zoom? In this post I’m going to cover the various recent issues (using CNET’s recent article for a list of issues), and give my thoughts on each, focusing on how it matters in my own usage of Zoom.
TLDR: Zoom has made some security and privacy missteps, but these issues won’t be of serious concern to the average user. Be sure to use a password on your meetings and only share the meeting link with people you trust. That said, given the number of recently discovered issues, there may be other problems lurking in Zoom’s code, so take note of new issues as they are reported.
Recent Zoom Issues
- Zoombombing and Zoomraids - Troublemakers like to jump into Zoom calls and do bad stuff. This is less a Zoom issue and more a basic internet security issue. If you share a link to the world then bad people might click that link! This isn’t an issue if you password protect your Zoom calls and only share meeting URLs with people you trust. Plus, the person hosting the meeting has additional controls in terms of who to allow in the meeting, who can share content, etc. - use those features!
- Automated tool can find Zoom meetings - Someone wrote a tool that can generate valid Zoom meeting IDs, making it easier for people to Zoombomb. Zoom should probably make their meeting IDs harder to guess, but again, password protect your meetings, and this won’t be an issue.
- Zoom shares user contact info - Sometimes Zoom treats email domains as company directories, and shares user info among users with the same domain. I think this is a poor design! I’m surprised this was ever released. That said, for me personally, it is a non-issue since my email address is on a well-known email domain and is excluded from the “feature.” Still, I’d like to see Zoom remove this capability.
- Facebook data sharing on iOS - In their iOS app, Zoom previously relied on the Facebook SDK to allow users to sign in with their Facebook account. This had a side effect of the app sharing certain device details to Facebook. I understand that people do not trust Facebook at all, but for my own usage of Zoom I’m not terribly concerned. Plus, Zoom has issued a fix for this.
- Lack of true E2E encryption - This is a bad marketing move, with Zoom apparently saying they support end-to-end encryption when they really don’t. I never expected E2E encryption in Zoom, and the encryption which Zoom uses is good enough for me. See Zoom’s clarification on their encryption.
- Calls routed through China - This was apparently a temporary misconfiguration on Zoom’s end where non-Chinese users had calls that connected to Zoom servers in China. Not great, but also not terribly alarming for me.
- Zoom accounts found on the dark web - It is unclear where the leaked account info originated. I suspect that the accounts were compromised by the usual methods (password re-use, phishing, etc.). If it came to light that Zoom is leaking account credentials that’s a much bigger concern.
- Recorded Zoom videos on the web - Some people record their Zoom meetings and upload them to a non-secure location on the web. Yeah, don’t share your private recordings on the public web! I almost didn’t mention this one, as it is clearly user error, but I included it since news sites are reporting on it.
- LinkedIn data-mining feature - Zoom matched users to LinkedIn profiles under certain circumstances. I can see how this one is concerning, although given the audience of my Zoom meetings, it wasn’t an issue. Zoom has issued a fix for this.
- Windows password theft - Zoom was converting UNC paths to clickable hyperlinks in chat. If a malicious user was in your chat, and that user posted a UNC path to an internet location, and you clicked that link, then they could steal your Windows username and password hash. Common sense: don’t click hyperlinks to untrusted servers (especially UNC links) from random users! Don’t ever do this, not just in Zoom! Also, don’t let untrusted users into your Zoom chats. Zoom has issued a fix for this.
- Mac privilege escalation to root - A local unprivileged attacker may be able to escalate their privileges to root (details). That’s bad, but at least this is a local security issue - the attacker has to already have a foothold on the system. My personal take: I don’t use a Mac, but maybe some of the people in my calls do. Zoom has issued a fix for this.
- Mac webcam vulnerability - On a Mac, a local attacker can inject code into the Zoom process and leverage Zoom’s mic and camera access. That’s bad, but at least this is also a local security issue - the attacker has to already have a foothold on the system. Zoom has issued a fix for this.
Keep using Zoom?
When I look at these issues individually, none of them are a deal breaker for me. If you’re running the current version of the Zoom app, the fixes mentioned above should be automatically installed. Zoom is easy to use and people have quickly picked it up. I plan to keep using Zoom.
However, looking at these issues in aggregate does worry me. It would seem that Zoom has not historically focused on privacy and security, and so I’m concerned about what else may be lurking their code. I’m going to keep using Zoom for now, while keeping an eye on new issues as they arise.
To Zoom’s credit, they are taking 90 days to fix issues and pause feature work. I wish their engineering team success.
I’m primarily looking at these issues from a consumer perspective. If you are using Zoom in a business scenario, particularly one where confidential information is shared, your evaluation criteria will differ. If your company already has an approved solution for video conferencing - use it!