As countless people are confined to their homes amid efforts to contain the COVID-19 pandemic, the popularity of videoconferencing software for work, education and leisure is exploding. Of all such communication tools du jour that were suddenly thrust into the limelight, probably none stands out as much as Zoom.

The skyrocketing demand among people and businesses alike has helped reveal a rash of privacy and security challenges facing the platform, which is now used even for daily meetings of the UK Government (though, interestingly, the UK Ministry of Defence forbids its employees from using the app).

The app’s maker is weathering a storm of criticism from various quarters, including privacy advocates, security experts, several U.S. state attorneys general, a U.S. lawmaker, and the FBI. Bad news has kept piling up in recent days, prompting the company to respond.

The firm’s founder and CEO Eric S. Yuan apologized for the issues and outlined measures to beef up Zoom’s security and privacy. He also announced a 90-day feature freeze, adding that the company was shifting all its engineering resources to “focus on our biggest trust, safety, and privacy issues”.

Here’s a rundown of five of the key issues Zoom has had to address since last week:

•    Zoom’s privacy policy failed to mention that the iOS version of the its app was sending analytics data to Facebook even when the users don’t have a Facebook account, according to a Vice report last week. The company acknowledged the issue and removed the Facebook Software Development Kit (SDK) for iOS. Zoom is still facing a class-action lawsuit in California over the practice.

•    Despite claims to the contrary, the app’s video and audio meetings don’t support end-to-end encryption, according to research by The Intercept. Zoom later apologized and clarified that it uses transport encryption known as TLS. The key difference is that the latter doesn’t put users’ communications out of the company’s reach.

•    The app was also found to contain several security vulnerabilities, though they were all fixed in short order. Its Windows client was found susceptible to a UNC path injection flaw that could expose people’s Windows login credentials and even lead to the execution of arbitrary commands on their devices. Two more bugs, this time affecting Zoom’s MacOS client, could have enabled a local attacker to take control of a vulnerable computer.

•    The company has also dropped Zoom’s ‘attendee tracking’, a feature that made it possible for a meeting’s host to check whether the participants were actually paying attention when the host was in screen-sharing mode.

•    The FBI has released a warning against a phenomenon dubbed "Zoom-bombing" following multiple reports that trolls and pranksters invaded private meetings and school classes to display disturbing images.

The issues could have affected a vast number of people, as the platform saw a surge from 10 million to 200 million daily users over the past three months. By Yuan’s own admission, Zoom has been overwhelmed by its own unforeseen success.

“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” he said.

How to stay safe

Even in this remote-work era (and not only when it comes to videoconferencing), we shouldn’t overlook the privacy and security side of things. No matter how slick and feature-rich any software is, it may bring new threats, and with them come added responsibilities. The most effective measures you can take to protect your security and privacy when using Zoom include:

•    Password-protecting your meetings and/or vetting meeting participants with the help of Zoom’s ‘Waiting Room‘ feature.
•    Limiting screen sharing to the host.
•    Running Zoom’s latest version.
•    Refraining from sharing links or meeting IDs on social media.
•    Indeed, consider using meeting IDs rather than links when inviting other participants, as there’s been a surge in malicious Zoom-themed domains that seek to capitalize on the app’s unexpected success.


About the author

Tomas Foltyn is a security writer at Eset, a global provider of IT security products.