Security News

Zoom has nixed a feature that came under fire for "Undisclosed data mining" of users' names and email addresses, used to match them with their LinkedIn profiles. Zoom founder Eric Yuan said in a Wednesday post responding to the concerns that Zoom will freeze the development of its features and instead focusing on security and privacy issues.

According to data gathered by a new automated Zoom meeting discovery tool dubbed "zWarDial," a crazy number of meetings at major corporations are not being protected by a password. Lo said a single instance of zWarDial can find approximately 100 meetings per hour, but that multiple instances of the tool running in parallel could probably discover most of the open Zoom meetings on any given day.

Security researchers discovered recently that the Zoom video conferencing app is affected by vulnerabilities that can be exploited to spy on users, escalate privileges on the system, and capture Windows credentials. "At Zoom, ensuring the privacy and security of our users and their data is paramount. We are aware of the UNC issue and are working to address it," a Zoom spokesperson told SecurityWeek via email.

Malicious, re-packaged versions of the Zoom video conferencing application are targeting work-from-home Android users with adware and Trojans, Bitdefender reports. One type of attack, Bitdefender reveals, involves the use of re-packaged Zoom clones that are being distributed via third-party markets.

UPDATE. Two zero-day flaws have been uncovered in Zoom's macOS client version, according to researchers. The two flaws, uncovered by Patrick Wardle, principle security researcher with Jamf, emerge as Zoom comes under increased scrutiny over its security measures, particularly with more employees working from home over the past few weeks due to the coronavirus pandemic.

That's a good thing because miscreants hijacking unprotected Zoom calls is a thing. When we say end-to-end.... Despite Zoom offering a meeting host the option to "Enable an end-to-end encrypted meeting," and providing a green padlock that claims "Zoom is using an end to end encrypted connection," it appears that the company is able to access data in transit along that connection, and can also be compelled to provide it to governments.

Collaboration platform Zoom has seen usage skyrocket since the COVID-19 pandemic forced hundreds of thousands of workers to begin telecommuting. Zoom has been the subject of privacy concerns before; the video conferencing software experienced a webcam hacking scandal in 2019 and a bug that allowed uninvited users to potentially join meetings they hadn't been invited to, according to CNET. Here are a few things to keep in mind when using Zoom, especially for work-related functions.

"While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices," according to the letter obtained by the New York Times. The potential security issues that Zoom's facing are myriad. Already, numerous reports have emerged of threat actors hijacking Zoom meetings and upending them with hate speech, threats of sexual harassment, and pornographic images.

Earlier this month, articles on Mashable, EFF, Forbes, and Consumer Reports, among others, heavily criticized Zoom for not ensuring that users' privacy is well protected, which encouraged web veteran Doc Searls to have a look into the matter as well. EFF too pointed out that Zoom hosts could monitor attendees' activity while screen-sharing, could see whether a participant has the Zoom window in focus or not, and that administrators can view "How, when, and where users are using Zoom," and can access the contents of recorded calls, including "Video, audio, transcript, and chat files."

Zoom has removed a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage. In a Friday post, Zoom that it has now removed the "Login with Facebook" software development kit for iOS, which was the feature tied to the data sharing: "Our customers' privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client, and have reconfigured the feature so that users will still be able to log in with Facebook via their browser," according to Eric Yuan, founder of Zoom.