Video conferencing app Zoom has been in news off lately owing to its exponentially growing popularity amid the Covid-19 lockdown. This prompted a spotlight on its privacy and security issues.
Now, the company has apologized for the safety issues that users were facing on its platform. The company also announced a series of measures that it was taking in the coming days to mitigate them.
Zoom founder and CEO Eric S Yuan in a blog post explained that the company had designed the app primarily for enterprises with full IT support.
Our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.
However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.
Zoom was becoming a popular choice for people working from home and self-isolating when the app was found to be sending iOS users’ data to Facebook without their knowledge. Zoom, however, patched the issue soon after the discovery and refused any such activity.
Just weeks after, a few security researchers found a bunch of other vulnerabilities in the app.
The first flaw was discovered related to the apps UNC paths. Per the researchers, the Zoom on Windows is converting networking UNC paths into a clickable link in the chat message. Essentially, this means, that the Windows version of the app is allowing hackers to capture Windows passwords.
Besides that, Zoom app on Mac, there are two distinct loopholes, which can allow an attacker to can gain access to the computer once exploited and install malware or spyware, without letting users know about the backdoor entry. Apparently, this loophole comes via the installer for the app, which can easily be injected with malicious codes.
Another bug was discovered in the Mac client, that could allow an attacker to inject malicious code to access the webcam and microphone of the system.
Yuan apologised for “falling short” on security issues and promised to address concerns.
“For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus…we recognize that we have fallen short of the community’s – and our own – privacy and security expectations.
For that, I am deeply sorry, and I want to share what we are doing about it,”
Apart from apologizing, Yuan also shared the steps that Zoom was taking to mitigate the issues with its platform. For starters, he announced a feature-freeze for coming 90 days during which time the company would shift all its “engineering resources to focus on our biggest trust, safety, and privacy issues.”
In addition to that, Zoom will also conduct a comprehensive review with third-party experts, prepare a transparency report and enhance its bug bounty program among other things. Starting next week, the Zoom CEO will also be hosting a weekly webinar to “provide privacy and security updates to our community.”
Over the next 90 days, Zoom say that they will be dedicating the resources needed to better identify, address, and fix issues proactively. Yuan reiterated that the company are committed to being transparent throughout the process.
Steps that Zoom are to take
- Enacting a feature freeze, effectively immediately, and shifting all engineering resources to focus on their biggest trust, safety, and privacy issues.
- Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of new consumer use cases.
- Preparing a transparency report that details information related to requests for data, records, or content.
- Enhancing the current bug bounty program.
- Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
- Engaging a series of simultaneous white box penetration tests to further identify and address issues.
Yuan also added that starting next week he will host a weekly webinar on Wednesday to provide privacy and security updates to the community.
