Can Zoom slip on its own success? Too many privacy concerns

Zoom skyrockets during stay-home period counting up to 200 million users worldwide

Zoom appZoom video conference app reached enormous popularity, which enclosed the weakest side of the company - privacy protection

Zoom by Nasdaq[1], a software-based conference room solution, has exploded the market this year by increasing its popularity over 90% and gaining worldwide user recognition. Skyrocketing popularity across the U.S., enormous app downloads for iOS, Android, Windows, and Mac devices allowed Zoom to top in the chart of the most popular apps of 2020.

Zoom has been developed in 2011 and since the dig, it's way to the market at a slow pace. It’s represented as a conference room solution allowing video and audio collaborations, chats, webinars, conferences, training rooms, and whatnot.

In comparison to other video conference apps, Zoom exhibits a user-friendly interface, zero bugs, and spam-free environment. The best opposite comparison of Zoom would be Skype[2], which has been the number one app for videos and chats not so long ago. Zoom is easy to integrate as it features:

  • Microsoft O365 Add-in
  • Outlook PC/Mac Plugin
  • Firefox Add-on
  • Chrome Extension
  • Gmail Add-on
  • Safari extension

In other words, the user doesn't have to be IT savvy to join or host a meeting. Sing up using an email and password is required, though the log in via SSO (company domain), Google, and Facebook are available. The limited functionality is available for free and is usually used by regular PC users. However, business users require a paid Zoom version to get extra features and advantages.

  • One-on-one meetings: one-on-one meetings are unlimited with the free plan. You can share the screen with the other participant for free either. The free plan allows users to host a conference of up to 40 minutes and invite up to 100 participants.
  • Group video conferences: Zoom meetings can handle up to 500 participants, though such huge conferences require a paid version of the app in the form of an add-on.

The app has multiple awards since 2015, including Reader’s Choice Awards Winner in 2019 and One of Inc. Magazine’s Best Workplaces for 2020.

Having listed most of the Zoom pros, it's more or less clear why the app go rampant as soon as people were obliged to stay home during the Covid-19 pandemic. With the first strains of Coronavirus or COVID-19 pandemic in early 2020, people across the world gradually shifted their workplaces to remote work from home. The largest bent has been registered at the end of March 2020 when countries across the globe officially declared quarantine and closed open space offices, schools, universities, businesses, and so on. Bernstein Research and Apptopia research[3] revealed that the app downloads increased 30x spiking to 200 million users in March from 10 million in December.

Is the company able to handle the influx?

With millions of Americans and Europeans joining the trend toward social distancing and stay-at-home mode due to coronavirus pandemic, the demand for social conferencing services, such as Zoom reached unseen heights. As we have pointed out above, the users of this app increased from 10 million to 200 million within the span of four months resulting in partial outages, connectivity issues, degraded audio and video quality, and similar. As the Basecamp founder David Heinemeier Hansson[4] commented on the situation:

“Any piece of software can have security issues […] Usage of Zoom has ballooned overnight, far surpassing what we expected.”

In fact, no one doubts that Zoom's team is going to handle performance issues quite easily. However, the massive influx and popularity are double-sided, i.e. the app has become a target of cybersecurity experts who are actively attacking the company with accusations of privacy breaches and inconsistencies. The following issues are most widely escalated:

  • Zoom's vulnerability that could force Mac users having Zoom app installed to participate in the meeting with an automatically activated camera;
  • Check Point[5] revealed a flaw allowing hackers to generate active ID numbers (typically composed of 9,10 or 11 digits), which can subsequently be used to join meetings that hadn't enabled the “Require meeting password.” According to researchers' predictions, approximately 4% of IDs might have been randomly generated pointing to the scandalous “zoombooming” phenomenon when pranksters get into the meeting and display porn or whatever they want.
  • iOS scandal that forced Zoom to rewrite major parts of apps Privacy Policy. It has been revealed that the Zoom iOS app was programmed to send data (device’s model, app version, and cellphone service carrier) to Facebook via a software development kit or SDK.
  • Later on, Intercept[6] reported false claims that Zoom shares about its meetings. According to the company, meetings are “end-to-end encrypted,” meaning that only the communicating users can read the message or view the conversation. However, it turned out that Zoom can be monitored by Zoom, except text chats on those meetings.
  • The automatic association of registered users to their LinkedIn accounts have been disapproved off. Zoom has enabled this feature believed it to be valuable since Coronavirus the app has been used in the business sector basically. Thus, allowing quick access to LinkedIn's profiles may be of high importance especially for employers and employees.

Although the list of Zoom's privacy issues is not finite, the above-mentioned problems are the major and sensational. Some of them have already been mitigated by the company and the others are currently in the active solution process. However, the company is already facing lawsuits for violating California’s Consumer Privacy Act and disclosing personally identifiable information to third parties. While the investigation is pending, it's not clear if Zoom will become the victim of its own success or not.

Despite various security and privacy updates that Zoom now keeps releasing to mitigate all flaws, the FBI[7] issued several public statements urging home and business users to ban Zoom to prevent Zoombombing and leak of sensitive information that can happen due to a Zoom hack.

Followed FBS's statements, Zoom video conference software provider has already been banned by SpaceX, New York City's Department of Education, UK's Ministry of Defence (MoD), The US Senate & Germany's Foreign Office, Taiwan country, and others.

Is it safe to use Zoom after all?

Zoom CEO Eric Yuan is positive about the whole situation, though he admits that there were multiple flaws in the Privacy Policy of the app and claim that those “missteps” will be reviewed and fixed asap. Besides, he highlights the point that:

Our service was built to serve business and enterprise customers. However, due to this COVID-19 crisis, we moved too fast.

Nevertheless, privacy and security issues are of most important in this 21st century digital world, so no excuses are accepted in this case. Instead, quick fixes are expected by the users until they decide to ban Zoom as well.

However, the Check Point[8], who was one of the first team of researchers to find Zoom's security flaws, notify that Zoom is safe to use. However, some precautionary measures have to be taken to protect ourselves from zoomboming or data leak.

  • First of all, users should keep Zoom app up-to-date. The company is actively releasing updates that mitigate flaws and implement security-related changes.
  • Use a strong login password. According to experts, zoomboming phenomenon was implemented on meetings that were not protected by a password. Note that Zoom has already implemented modifications so that all scheduled meetings are automatically protected by a password. Besides, be very careful with the Zoom's URL addresses and make sure they are sent to the right recipient.
  • Manage the participants during the meeting. If you see a participant that is about to share the screen and display offensive content, you can always select an option “Manage Participants” and disable the camera and microphone of the offender.
  • Zoom allows recording and sharing recorded video file upon the meeting. This fact is worrisome because, in case of a hack, the whole conversation can be transmitted to third parties and used for whatever reasons. To prevent this from happening, the meeting's host should always decide which participants will be allowed to record and set the “Allow record” option for that person only.

Since the COVID-19 virus hasn't been defeated yet and the stay-home period keeps going, Zoom maintains its position for a reason. Despite the weaknesses of privacy security, many consider the app too handy to be banned. Taking the precautionary measures listed above will help to maintain your privacy and security allowing people to gather around for classes, lessons, virtual nights, birthday party, or business conferences.

About the author
Lucia Danes
Lucia Danes - Security researcher

Lucia Danes is the news editor at UGetFix. She is always on the move because the eager for knowledge makes her travel around the globe and attend InfoSec events and conferences.

Contact Lucia Danes
About the company Esolutions