Widely used video-conferencing app Zoom apologies for security flaws, and promises to improve both safety and privacy going forward
Popular video conferencing app Zoom has apologised for security flaws and promised it will concentrate on safety and privacy issues going forward.
In a blog, chief executive Eric Yuan said that Zoom recognized “that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”
For example, the British government held its first-ever video-conferenced Cabinet meeting on Tuesday of last week, and last Thursday Prime Minister Boris Johnson tweeted a photo of himself using the application, in which a meeting ID was visible.
Earlier this week the British government pushed back amid criticism from some quarters over its use of Zoom. It said Zoom was used as many ministers were self-isolating at home, with no access to official government video conferencing systems.
But Zoom has been plagued with concerns about its use for governmental business.
In July of last year researchers disclosed a zero-day flaw in the Mac Zoom client that could have allowed attackers to switch on a user’s webcam if they had Zoom installed.
The flaw was first reported to Zoom in March and the company took several months to resolve the issue – a response that experts damned as “lax”.
Security researchers also discovered that earlier versions of the app used to send analytics data to Facebook without making this clear to users.
Also, the app does not use end-to-end encryption, as had been claimed; and the software reportedly sometimes exposes people’s email addresses and photos to strangers.
But now the boss of Zoom has confirmed that the app will take steps.
“During this time of isolation, we at Zoom feel incredibly privileged to be in a position to help you stay connected,” blogged Eric Yuan. “We also feel an immense responsibility. Usage of Zoom has ballooned overnight – far surpassing what we expected when we first announced our desire to help in late February.”
He said that daily usage quickly expanded from 10 million users a day, to over 200 million.
“For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus,” said Yuan. “However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”
He explained that the app was intended for enterprises, but now with self isolation due to the Coronavirus pandemic, it now has “now have a much broader set of users who are utilising our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
“We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies,” he said. “We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can.”
Yuan explained that the firm had already implemented measures to help users address incidents of harassment (or so-called “Zoombombing”) on its platform.
It has also removed the “Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users.”
It has also sought to clarify confusion surrounding the level of encryption it offered.
Yuan then explained how Zoom will take action to address concerns.
He said that over the next 90 days, it will dedicate the resources needed to better identify, address, and fix issues proactively.
To help it is enacting a feature freeze, effectively immediately, and shifting all its engineering resources to focus on its biggest trust, safety, and privacy issues.
It has also pledged to undertake a “comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.”
It will then prepare a transparency report, and will also enhance its current bug bounty program.
At least one security expert has warned about the risks associated with a workforce having to access corporate systems remotely.
“Millions of employees working remotely around the globe are turning to video conferencing to satisfy business and social commitments,” explained Chris Hodson, CISO at Tanium.
“But such an influx of users will always attract attention from security researchers and malicious actors who are discovering vulnerabilities on high-traffic platforms, albeit for starkly different purposes,” said Hodson.
“The raft of personal devices that employees are now using to do their jobs from home is one of the biggest vulnerabilities in a company’s network,” he said. “While corporations quickly shifted to accommodate remote work, few have incorporated employees’ laptops, tablets and mobiles into their patch management programs, which could leave corporate data exposed. Even the least sophisticated attack can take advantage of these unsecured endpoints and the apps that they run.”
“For businesses to operate safely, they need clear oversight of all devices plugged into their networks,” said Hodson. “However, many businesses still struggle with full visibility of their computing devices. Our latest research shows that more than 70 percent of IT leaders are finding unknown computing devices every week. And it’s impossible to protect what you can’t see.”
“The truth is that without a comprehensive view of everything that is happening in their IT estate, businesses will continue to have visibility gaps and keep finding out about these vulnerabilities the hard way,” he concluded.