Get best of the week

Zoom - banal negligence or targeted espionage?



In the midst of a period of self-isolation, the famous American conference application Zoom, the popularity of which due to the massive transition to distance work and training, has grown twentyfold over the past month, has become the focus of attention, and Zoom has become a confident first place in the United States in terms of downloads . However, he attracted attention not so much with an increase in the number of users, but with scandals related to the massive leakage of corporate and personal data of Zoom users into the social network Facebook, as well as thousands of records of personal video conferences merged into open access on YouTube and Vimeo.

What is Zoom and how does it work?


The main purpose of Zoom is to conduct video conferences, and the application provides support for video stream in HD quality and simultaneous connection to the conversation of up to one hundred participants. Also, users love this program for the ability to share a screen and create chats, where you can not only attach various attachments, but also work with such popular cloud services as Google Disc and Dropbox. In addition, the application allows you to open access to the screen of a mobile device (sharing function). Of the extra chips, there is also a “raise your hand” feature during a conversation in order to ask a question.

But, despite the good functionality, Zuma has big problems in ensuring user privacy. So, the application does not support end-to-end data encryption and has other serious security holes that arose just because some functions were added.



Attendee Attention Tracking: I am following you


For example, the Attendee Attention Tracking function allows you to compute those who are distracted from conversation by extraneous matters. Obviously, this seems useful to company executives and trainers, but the disadvantages of this function are much more serious, since it uses tracking trackers (scripts that perform remote monitoring of all participants), which allow the program to "bypass security settings in the browser and conduct inconsistent monitoring of by the user and his actions through the webcam ”, which has repeatedly raised questions from experts on the protection of personal data.

Having listened to the criticism of Attendee Attention Tracking by cybersecurity experts, the developers at Zoom Video Communications decided to get rid of this feature, as reported on the app’s website : “On April 2, 2020, we removed the user attention tracking feature to ensure the safety and privacy of our customers” .

Facebook SDK: Zuckerberg knock knock


Another problem that the application developers had to solve in order to regain user confidence was that Zoom automatically transmitted a number of data to Facebook, which analyzes and uses the information received for advertising purposes: according to DuckDuckGo (a search engine that opposes tracking user data), Facebook advertising trackers are placed on 36% of all sites on the Internet, and in this indicator it is second only to Google with its 85%.

What user data did Zoom transmit? First of all, the time of entering the application, the location of the user, the type of device. Also among the information sent was the advertising ID, according to which sites related to Facebook show the user targeted ads.

But the trouble for Zoom developers was that their iOS application sent “Facebook” data not only about users who had accounts on this social network, but also about those who were not registered on Facebook at all, and the latter was written in the user agreement it wasn’t in any form, that is, the fact of unauthorized transmission of information is evident: read, espionage.

Zoom responded to user complaints, and the developers removed the Facebook SDK code from their program, but the Americans began to file lawsuits against the company in large numbers, accusing it of violating local data transfer laws. The owners of “Zuma” did not take into account one simple thing: the surveillance from Facebook is disabled only after updating the application, so the company had to oblige all its customers to use the new version of Zoom.

Confidentiality? No not heard


Removing Attendee Attention Tracking and the Facebook SDK from the application is commendable, though belated, initiatives of Zoom Video Communications, but this did not solve the security problem: the fact is that Zoom has a wagon and a small cart.

So, Zoom’s privacy policy explicitly states that advertising partners (for example, Google Ads and Google Analytics) of the service automatically collect “some information” about users when they use the company's products. And what kind of information is not specified. Here's what Doc Searls, one of the computer security researchers, writes about this:

“Zoom is engaged in advertising, and in its worst case scenario: the company lives off of the collected personal data of users. But even more terrifying is the fact that Zoom can collect a large amount of private, intimate data (for example, a doctor’s conversation with a patient), and not one of the participants in the conversation is aware of this. ” And further: “If your browser cares about privacy (for example, Brave, Firefox or Safari), it will most likely block ad trackers as well, but you won’t be able to determine in Zoom if your personal data is collected and how it happens.” .

Then the specialist points out that until recently it was not possible at Zoom to refuse to collect personal data about you and to sell them to third parties (there is a violation of not only confidentiality, but also security):

“Zoom’s current privacy policy looks even worse than“ you don’t have any privacy here ”, the expert summarizes and gives a terse definition of Zoom policy towards users:“ We open your virtual necks to information vampires who can do anything with them, whatever they want. " (literally: We expose your virtual necks to data vampires who can do what they will with it ).

Privacy Policy Update


A flurry of criticism still forced Zoom Video Communications to revise its privacy policy, and on March 29 an updated version of the text appeared (https://zoom.us/privacy), which at the very beginning explicitly states: “We do not sell your personal data. Whether you are a company, educational institution or an individual user, we do not sell your data. ”

The next important point: “Your meetings are only yours. We do not track or even store them after the meeting, unless the conference organizer records and saves them. ”

Another interesting thing: “Zoom collects only the user data that is necessary to provide Zoom services to you ... For example, we collect information such as the user's IP address, as well as information about the operating system and device ...”

And finally: “We do not use the data that we receive from your use of our programs for any advertising. We use the data we receive from you when you visit our commercial sites, such as zoom.us and zoom.com. You can control your own cookie settings when you visit our commercial sites. ”

It would be possible to round off on this: to say that the guys are great, and recommend the updated Zoom to everyone who cares about their safety on the Internet, but there is a nuance here and, contrary to the well-known joke, not even one.

Other vulnerabilities


Big trouble awaits users of Windows, of which the vast majority in the world. It turned out that Zoom converts UNC paths into links, that is, paths ... to files on Windows. (https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/). Using such links that contain images, audio recordings and other media files, it will not be difficult for a hacker to crack hashes and gain access to Zoom user credentials. The company is aware of this vulnerability, but so far there have been no corrections to the application code.

Earlier, “Zoom” received another blow under its breath from The Intercept news investigation site, where on March 31 an article appeared that the videos in Zoom do not have proper encryption and that the company itself can view any communication sessions of its users. And the lack of end-to-end encryption leads to the possibility of outsiders interfering in conversations: in 2020, the so-called “Zoombombing” gained great popularity, when strangers “opened up” various classes and corporate video conferences with the humorous purpose of arranging “prank” and turning broadcasts into chaos ( including broadcasting pornographic content to the entire audience). It’s easy to guess that such draws are the most harmless thing that can happen to users in Zoom.

Zumovskaya “strawberry” and Elon Musk


The other day, the American edition of the Washington Post reported thousands of Zoom conversations that were in the public domain, which were published on the YouTube and Vimeo sites. Journalists of the publication, having watched these materials, reported that a number of conversations “merged” into the network contain confidential information: names, phone numbers, job lists, financial statements of private companies, as well as personal data of children who were highlighted in online classes that are now massively held all over the world due to quarantine. In many videos, deeply personal, intimate conversations are conducted and even nudity is presented (such as, for example, a teacher conducting epilation training in one of the chats).

The situation is further aggravated by the fact that even hidden records can be viewed on the servers of Zuma itself: smart users can open random videos using standard numbering, which Zoom denotes all of its materials. At the same time, many of the victims who appeared on the video, whom the Washington Post reporters managed to communicate with, stated that they did not even imagine how their private conversations could be made public.

Even before the scandals with the “discharge” of video into the network, Ilon Mask forbade his employees from using Zoom. The head of SpaceX and Tesla corporations noted that the service has serious problems with privacy and security, and recommended using email and phone for corporate communication. SpaceX executives blocked Zoom access for their employees on March 28, 2020.

NASA and Google also against Zoom


NASA spokeswoman Stephanie Schierholz said the same day that the U.S. space agency also forbids its employees to use Zoom, and on March 30 the FBI Boston branch issued a warning about using Zoom: employees were forbidden to make meetings on the site public or share any links.

From the latest news for the Zuma that was not joyful: Google abandoned the desktop application Zoom. Reuters reports that Google has banned the use of the application on their employees' laptops since April 8, citing Zoom security concerns. JosĂ© Castaneda, representative of the company managing the largest search engine in the world, said: “Recently, our security service informed employees using the Zoom Desktop Client that this program will no longer be supported on corporate computers because it does not meet our security standards for applications used by company employees . However, Google still permits the use of Zoom through mobile apps and browsers . ”

They promised to mend ...


Zoom Video Communications claims that problems with data leakage arose because the application servers were not ready for such an influx of users over the past month. And the CEO of the company, Eric Yuan, even spoke about this in detail on his blog and added that they have a lot of work to do to restore people's trust ( link ).

Well, we wish the guys good luck!

More articles:


All Articles