Video conferencing apps are witnessing an unprecedented traffic surge as more people resolve to work from home due to the Coronavirus pandemic.
Surprisingly, Zoom appears to be doing way better than other video chatting apps such as Skype or Google Hangouts. However, the same spotlight is also revealing security and privacy lapses in the Zoom app.
Zoom mislead users with end-to-end encrypted meetings
Zoom meetings are not end-to-end (E2E) encrypted as its official website and security white paper claims. Instead, the app uses regular TLS encryption, the same encryption web browsers use to secure HTTPS websites.
End-to-end encryption means no one can read the content shared between users, not even the company. WhatsApp and Telegram are two popular messaging apps that use E2E encryption.
Zoom’s spokesperson told The Intercept, “It is not possible to enable E2E encryption for Zoom video meetings.”. Zoom also denied misleading users, claiming that E2E, for them, is “in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint.”
Zoom leaks users data to strangers
Zoom has leaked email addresses and photos of over one thousand people, which could lead to strangers video calling the victims.
The issue occurred due to the Zoom’s “Company Directory” settings reports Motherboard. The option adds people to a user’s list of contacts if they sign up “with an email address that shares the same domain.”
The feature is intended to help colleagues find people within the same company. However, users who signed up with private emails reported that Zoom has shared their contacts with strangers.
Last week, Zoom was found sending private data to Facebook without users’ content. While the company fixed the issue after the uproar on the Internet, the app still stores the user’s data “to improve its service.” This includes IP addresses, OS details, and device details, the company told the Intercept.
Zoom macOS installer is “Shady.”
Now that millions are using Zoom, it is also being analyzed for possible security loopholes as well. Felix, a malware tracker at VMRay, discovered that the Zoom macOS installer evades Apple security mechanisms to get root privileges.
This is not strictly malicious but very shady and definitely leaves a bitter aftertaste. The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.
— Felix (@c1truz_) March 30, 2020
He tweeted that the Zoom installer uses preinstallation scripts and displays a misleading prompt to get root privileges. While this is not malicious in nature, it certainly puts the app in lousy limelight.
Zoom makes Windows users vulnerable to credentials leak
A security researcher discovered that a flaw in Zoom Windows client could allow hackers to steal Windows credentials of users, reports Bleeping Computer.
@_g0dmode found the problem in Zoom’s chat feature, where the app converts Windows networking UNC paths into a clickable link when sent as a chat message.
Trying to open the link, Windows will automatically use the SMB file-sharing protocol where it will send the user’s login name and their NTLM password hash, which can be easily hacked.
All of the loopholes make it evident that the Zoom app isn’t the best video conferencing app, at the very least. That being said, there is no denying that its intuitive interface and convenience it offers is the reason why the app is getting popular in the first place.
But we can’t ignore the security and major privacy issues as well. For now, we think it’s best to uninstall Zoom and try out a few alternatives.