Zoom would very much like you to know that it’s fixing its biggest privacy and security problems.
In a blog post last week, Zoom CEO Eric Yuan vowed to deal with a wide range of issues dug up by journalists and external security researchers as the service has helped remote workers survive the COVID-19 crisis. Among the changes Zoom has already made to its videoconferencing software: Adding stronger default protections against malicious guests, removing code that surreptitiously sent data to Facebook, pulling a LinkedIn marketing tool that let some users harvest personal data from other chat participants, and discontinuing a tool that let employers see if workers were paying attention during video calls.
But while Zoom is scrambling to make further security and privacy improvements—and has frozen new feature development for 90 days while it does so—users still need to exercise some caution. No service’s security measures are ever foolproof, and Zoom itself is so complex that it’s easy to get lost among its many bells and whistles.
Here are some security and privacy issues you still have to keep in mind before setting up your next Zoom meeting:
The term “Zoombombing” refers to a malicious user gaining access to a videoconference and harassing its participants. Several schools, for instance, have reported incidents of racist messaging, death threats, and pornography in their virtual classrooms, and New York City schools have even banned Zoom to head off the threat.
These incidents can occur when meeting details are publicly listed without any password protection, though some attackers have also used software to guess unlisted Zoom room numbers. Publicly sharing a full meeting URL can also facilitate Zoombombing, even when the meeting is password-protected.
Last week, Zoom changed its default settings to make Zoombombing less common. All meetings now require passwords by default, including ones scheduled before April 5, when Zoom made this change. And all meeting participants must enter a “Waiting Room” until the host allows them to join. For education plans, Zoom has also limited screen sharing to teachers by default.
While these changes should help reduce incidents of Zoombombing, they don’t completely eliminate the risk. Here are some other steps you can take if you’re worried about people invading your videoconferences:
- Avoid publicly sharing full Zoom meeting links, which have an encrypted version of the password built in. These links allow anyone to join with one click even if they don’t know the meeting password, so keeping them secret is important.
- If you’re concerned about invitees inadvertently sharing full meeting links with strangers, head to Zoom’s profile settings page and disable “Embed password in meeting link for one-click join.” Keep in mind that this only applies to the links in Zoom’s meeting invitations. If you copy the invite URL from within a conference that’s already in progress, it’ll still embed the password for one-click access.
- Teachers who haven’t set up an Education Plan should consider setting the Screen Sharing option to “Host Only” under “Who can share?” in profile settings. That way, students won’t be able to pull any pranks.
- TechCrunch‘s Josh Constine suggests disabling File Transfer in profile settings just in case someone tries to pass around malicious files.
- If you insist on sharing one-click URLs or don’t want to enable the waiting room, Glenn Fleishman suggests promising a link to come in your initial invitation, then sending the link just before the conference starts. That way, it’ll have less time to reach any potential trolls.
- For extra protection, consider locking the meeting once all the invitees have joined. Select Manage Participants, select “More” in the participants menu, then select “Lock Meeting.”
Exposed contact info
As Motherboard’s Joseph Cox reported last week, Zoom has allowed thousands of users to see the email addresses (and corresponding profile photos) of other users that have the same email provider.
At issue here is Zoom’s Company Directory feature, which is supposed to let people within an organization look up their colleagues. Although Zoom blocks this feature from working with popular email domains such as Gmail and Yahoo, it has failed to blacklist some smaller email providers, such as dds.nl and quicknet.nl in the Netherlands.
At this point, the only recourse is to file a complaint with Zoom. If you rely on a boutique email provider and spot any unfamiliar people in the “Contacts” section of the Zoom app, you’ll have to submit a request to have the domain blacklisted from the Company Directory feature.
Recordings inadvertently made public
Because of the naming scheme that Zoom uses for its recordings, videos that some users likely thought were private have become searchable on the open web. As The Washington Post’s Drew Harwell reported, some of these links have surfaced on YouTube and Vimeo, while others have turned up in Amazon storage space, where users may have made them public without realizing it.
One might argue that users should pay better attention to how and where they upload meeting recordings, but as Harwell writes, “Zoom’s engineers bypassed some common security features of other video-chat programs, such as requiring people to use a unique file name before saving their own clips.” Zoom has not yet changed its naming scheme to make these files harder to discover.
Potentially revealing text chats
You might think that private text chats within Zoom will always stay private, but that’s not the case under one specific condition.
Forbes contributor Kate O’Flaherty has reported that if a host records a Zoom meeting locally using the “Record on this Computer” option, any private chats between that host and other participants will be included in a .TXT file alongside the meeting video. If the host were to then share the entire meeting folder with colleagues, they’d be able to see the contents of those private chats.
This claim became somewhat overblown thanks to some broadly worded Twitter posts that went viral, so a bit of extra clarification is in order. Zoom doesn’t save any private chats if no one records the meeting or if the meeting is saved through Zoom’s own cloud storage option. And if the host records the meeting locally, only that host’s private chats will show up in the logs.
Of course, a sufficiently mindful host could always remove or modify the .TXT file before sharing the meeting record with others, but the safer path is to avoid typing anything on Zoom that could get you in trouble to begin with. If you must badmouth your colleagues, find a more private venue.
End-to-end encryption evasion
Although Zoom has claimed in marketing materials and white papers that its video calls can be end-to-end encrypted, the company admitted last week that it is not using the term as security researchers understand it. It is true that when all participants are using Zoom’s apps (with computer or mobile device audio), aren’t recording the meeting, and aren’t using any of Zoom’s “Connector” features, Zoom does not decrypt meeting contents at any point en route to each user. But as both The Intercept and The Citizen Lab have reported, Zoom is using a form of encryption that technically could be accessed by Zoom itself.
As such, The Citizen Lab has suggested that government agencies or businesses worried about espionage should steer clear of the service, as should healthcare providers handling patient data. Activists, lawyers, and journalists may also want to avoid Zoom if they’re handling especially sensitive information. Motherboard’s Lorenzo Franceschi-Bicchierai has suggested several alternatives with end-to-end encryption, including Apple’s FaceTime and subscription-based conferencing from Wire.
A potential Waiting Room weakness
Speaking of The Citizen Lab, its report also mentioned a vulnerability with Zoom’s Waiting Room feature, which requires conference hosts to approve each participant before they’re let into a meeting. The Citizen Lab did not provide any further details on this security flaw, saying it will only do so once Zoom has addressed the issue. But in the meantime the group suggests turning Waiting Room off.
At the same time, Zoom has enabled Waiting Room by default for all of its users to protect against Zoombombing. While you can still turn off the feature through Zoom’s profile settings, doing so could do more harm than good. As with so many other aspects of Zoom, the question of how best to protect yourself is one with no easy answers.