Google forbade its employees to use Zoom

Due to the widespread self-isolation and quarantine, the Zoom video conferencing application has gained unprecedented popularity. However, along with popularity, Zoom developers got many problems, for example today Google forbade its employees to use Zoom.

Last week, NASA and SpaceX banned their employees from using the Zoom video conferencing application, as it has significant security and privacy issues.

The fact is that the application has recently been severely criticized by the media and information security experts.

For example, it was noticed that the application dumped information to Facebook, was cunning at the expense of end-to-end encryption, and did not explain why it collects information about users at all.

In addition, users reported that hundreds of strangers appeared in their contact lists due to a bug, while experts found that the Zoom Windows client converts UNC paths into links, while Zoom for MacOS allows a local attacker or malware to get root rights.

In addition, with the increasing popularity of Zoom during the pandemic, were registered more cases where cybercriminals distributed malware through fake zoom domains.

However, as it turned out, NASA and SpaceX were just the first of many. So, BuzzFeed reports that Google has now taken similar measures regarding Zoom: the company will block Zoom from working on computers and smartphones provided to employees.

“We have not allowed our employees to use unapproved applications for work outside the corporate network for a long time. Recently, our security team informed employees using Zoom Desktop Client that it would no longer work on corporate devices, as it did not meet our application security standards. Employees who used Zoom to keep in touch with family and friends can continue to do this through a browser or mobile phone,” – told in Google to the Verge reporters.

Other corporate users also distancing themselves from Zoom: for example, in Taiwan Zoom was forbidden to use by government officials, since application traffic passes through servers in China. And in schools in New York, teachers were encouraged to “gradually abandon Zoom” in favor of other services for video conferencing.

In response, Zoom developers hastily take the following measures:

• They reported that they had already fixed a number of problems discovered by experts: in particular, the developers apologized for the confusion around E2E encryption, removed from Zoom the creepy function that allowed tracking users’ attention, and also got rid of the code that merged LinkedIn and Facebook data.
• Also, the company said that they would stop the development of the application for 90 days, and would fully focus on improving its security, as well as conduct an audit involving third-party specialists.
• Yesterday, on April 8, 2020, the company announced that it had already formed a CISO council, and also created an advisory council for cooperation and exchange of ideas on how to solve Zoom’s current security and privacy problems. It includes CISO from VMware, Netflix, Uber, Electronic Arts and other large companies.
• Zoom also recruited as advisor Alex Stamos, the former head of Facebook security, who will help with a comprehensive analysis of the platform’s security.

Additionally, continues work on fixing various bugs and vulnerabilities. For example, to improve privacy, from the Zoom interface was finally removed the Meeting ID, which used to be displayed directly in the application header.

The problem was linked with the fact that many companies and users released these IDs and even passwords by accident, posting screenshots of their meetings on social networks. For example, British Prime Minister Boris Johnson shared the ID of the meeting of the British cabinet, while members of the Belgian parliament accidentally revealed the identifier and password by posting a screenshot of the meeting of the Defense Committee.