Pixel Envy

Written by Nick Heer.

Zoom’s Myriad Security and Privacy Flaws

Contrast this list compiled by Glenn Fleishman at TidBits against the statement by Zoom’s CEO posted earlier this week:

Let me put it bluntly: Zoom is sloppy. Evidence of this began to accumulate last year with a screw-up discovered in mid-2019 that exposed macOS users to significant privacy exposure: your video camera could have been activated by visiting a page that loaded a malicious link. The problematic disclosures have accelerated since January 2020 with a series of errors in judgment and programming flaws. Zoom may have a top-notch technical solution and user experience, but the company deserves to take its knocks for sloppy and negligent programming.

Zoom also has made poor privacy decisions, some of which have already been remediated, by positioning itself more like a marketing firm than one that provides personal, academic, and business services over which we conduct private, confidential, or secret conversations.

Zoom founder and CEO Eric Yuan:

First, some background: our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices. Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

Did those “exhaustive security reviews” turn up any of the engrained problems with Zoom’s infrastructure? If so, is there a reason Zoom was picked over its competitors? In light of recent disclosures, do you think any big enterprises, government agencies, and financial companies are reconsidering their choice of Zoom?

It’s right to more heavily scrutinize Zoom as it plays a pivotal role in our self-isolated current state of affairs. But what are the alternatives? Fleishman compiled those, too, but even he acknowledged at the time that it “has emerged as the clear winner for large groups”. Competing options can be pricey — particularly for underfunded organizations like charities and schools. Most of these tools are also designed for businesses; they may not work as well as Zoom in a classroom context. It is critically important that Zoom gets this right, or security professionals are going to increasingly recommend that it be avoided entirely.