Zoom is popular and easy, but just how dangerous is it?

As more and more people head online due to the Coronavirus pandemic companies have turned to telecommunication tools like Microsoft Teams, Zoom, and Slack to continue their operations. Much like other services, Zoom has seen a surge in use. Reports have even said that it has seen up to 190 million daily users.

There have, however, been many security worries behind the service, causing the company itself to come out and respond. Here’s a recap of everything you need to know.

The Zoom risks and worries

We already covered the encryption, data collection, and privacy issues of Zoom in the ending of our separate post, but recently, security researchers have found things that go beyond that.  Most of these have been patched, however, but are still worth mentioning in retrospect. There’s also the concerning fact that government agencies running the response to the Coronavirus epidemic here in the United States spent big money on Zoom, and are actively using it, too, according to Forbes.

Anyway, for Windows 10 users, the biggest risk of them all was a UNC party injection in Zoom’s Windows 10 app. As pointed out by Bleeping Computer, with this security flaw, Zoom’s Windows 10 apps turns Windows networking UNC paths into clickable links. This allows Windows to connect to a remote site using SMB-file sharing protocol, and then send over the user’s login and password hash. It wasn’t isn’t the easiest thing for the average user to do, or for the receiver to recover, but it was still a glaring risk that was since patches, nonetheless.

For a few thousand, there’s another issue involving leaking peoples’ email addresses and photos. Noted by Vice, with this problem, the company directory setting of Zoom will automatically add people to a user’s lists of contacts if they signed up with a personal non-standard public email address that shares the same domain. It’s designed to make it easier to find a colleague, but it also pools people together as if they worked together with the same company, allowing you to see their names, email addresses, photos, and more.

Other security issues relate to macOS, where a zero-day bug allows any website to open a Zoom call with their video camera activated. As reported on Vice, Apple patched this via a silent update to the Malware Removal Tool.  Of course, there is the (now-patched) Facebook connection with Zoom, too. Without users permissions, the Facebook SDK in the Zoom iOS client was collecting non-personal device information and sending it to Facebook.

Oh, and let us not forget “Zoombombing” where random people could join in on Zoom meetings that aren’t protected. There are some suggested workarounds to prevent this as well, including using waiting rooms, passwords, and muting controls.

The Zoom response

As a response to these worries, Zoom’s own founder Eric Yuan has admitted to these concerns and showed how the company would respond. Interestingly, Yuan admits that the platform was built primarily for enterprise customers with a large IT base. He also admits that there was no way of knowing that everyone in the world would end up using Zoom, and said that “we now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges.”

This alone shows why it’s best to keep away from Zoom for personal use, but still, Yuan admits that any security threats will be taken seriously and that “We are looking into each and every one of them and addressing them as expeditiously as we can.”

In the post, Yuan pointed to a company a blog post to help explain how to stop Zoombombing. The company also removed Facebook SDKs from its iOS app and updated its privacy policy to say it does not sell user’s data.  Zoom also will put all new features on hold to better handle privacy concerns, expand its bug bounty program, and even host a weekly webinar to explain privacy and security updates to the public.

Now, what about Microsoft?

With Teams being used by 44 million people daily, and Skype recently hitting the 40 million daily active users mark, there is a need to look at Microsoft’s security practices, too. After all, people are in need of virtual ways to communicate. People want a trusted platform where they can communicate, without worry. People don’t want their data to be sold.

Microsoft’s policies on this are clear and simple. As we’ve said multiple times, Microsoft does not use your data for anything other than providing you with the service that you have subscribed to. Microsoft also does not scan your email, documents, or teams for advertising or for purposes that are not service-related. Microsoft even doesn’t have access to your uploaded content. We suggest that while popular and easy are enticing, that you don’t forget privacy and security when making decisions on ways to make it through these difficult times.