When companies began asking employees to continue working from, there was a need for a videoconferencing app and Zoom met that need.
However, in the weeks since Zoom’s rise, glaring security and privacy issues have come to the fore.
For one, it was recently discovered that Zoom doesn’t support end-to-end encryption, but rather uses in-transport encryption. The problem here is that the company said it was using end-to-end encryption. Zoom later clarified what encryption it used, but it left a sour taste in the mouth of users.
Just this week it was discovered the Zoom’s Windows client contained a bug that allowed an attacker to send a string of text which would convert to a link. When a user clicked that link the user’s Windows usernames and Net-NTLM-v2 hashes.
While Zoom has addressed many of these issues, it’s clear the service has some work to do and founder of Zoom, Eric Yuan, has detailed what is happening behind the scenes.
“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust,” wrote Yuan.
Moving forward Zoom will enact a feature freeze so as to shift its engineering resources to tackling trust, safety and privacy issues.
Zoom will also be reviewing its security with special focus on the millions of new consumers that have started using the service. It’s important to remember that Zoom was primarily designed for large enterprises with a dedicated IT team. While that shouldn’t mean an IT team should deal with an application’s short comings it does put things into perspective.
That also speaks to how folks are using it. We’re sure during creation, Zoom expected to be used in boardrooms protected by robust security solutions and now it’s got Jeff’s shoddy router and and outdated version of Windows Defender.
Related to the lack of end-to-end encryption, users were concerned about Zoom’s reporting to authorities. Many firms contain clauses stating that if authorities require information (and the proper channels are followed) they will co-operate but Zoom lacks a transparency report which details this. As such, the company will be preparing a transparency report that details information related requests.
Other steps Zoom will take to improve security, trust and privacy include:
- Enhancing the current bug bounty program.
- Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
- Engaging a series of simultaneous white box penetration tests to further identify and address issues.
“Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community,” added Yuan.
We’re glad to see Zoom taking these security concerns seriously and pushing hard to fix the issues.
With all these security and privacy issues coming to the fore however, one does have to wonder whether any of this would be addressed if Zoom hadn’t become the first choice for videoconferencing overnight.
At least the issues are being addressed.