The founder of Zoom apologized for privacy feature flaws and so-called “Zoom-bombings” that have taken place as the video conferencing company’s popularity has skyrocketed during the coronavirus crisis.
With its free app downloaded more than any other in the United States and dozens of other countries in recent weeks, Zoom stock shares doubled since the start of the year as workers are stuck at home under widespread stay-at-home orders meant to stem the spread of the COVID-19 virus. As Zoom usage has risen — there have been spikes of up to 200 million people per day in March, up from 10 million in late December — so has law enforcement concern about the remote meetings being hacked and users being harassed or exploited.
Recommended Stories
“Usage of Zoom has ballooned overnight — far surpassing what we expected when we first announced our desire to help in late February,” Zoom CEO Eric Yuan wrote in a blog post Wednesday night. “However, we recognize that we have fallen short of the community’s — and our own — privacy and security expectations. For that, I am deeply sorry.”
Included in Yuan’s mea culpa was an admission that the product was not designed “with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”
The billionaire also outlined what the company is doing to fix the problems, including “enacting a feature freeze, [effective] immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.”
Yuan’s apology for the security lapses in his product, after which shares of Zoom stock dropped a precipitous 11%, came after the FBI warned on Monday about Zoom’s vulnerabilities.
“As large numbers of people turn to video-teleconferencing platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called “Zoom-bombing”) are emerging nationwide,” the bureau said. “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.”
One glaring issue the company is facing is what has become known as “Zoom-bombing,” when uninvited guests break into virtual meetings.
Zoom-bombers have interrupted “work from home” happy hours by screensharing pornography. And the FBI’s Boston division revealed a Massachusetts high school teacher’s online classroom was interrupted by unidentified individuals who “yelled a profanity and then shouted the teacher’s home address in the middle of instruction.” Another school in the state reported a Zoom meeting interrupted by an unknown person who “displayed swastika tattoos.”
These Zoom-bombings have also hit multiple virtual Alcoholics Anonymous meetings. In the middle of one such meeting, an uninvited guest began shouting misogynistic and anti-Semitic slurs, according to Business Insider. The person mocked the group by saying, “Alcohol is soooo good.” The organizers removed the intruder, but by then, more than half of the participants had left the chat.
The FBI emphasized on Wednesday that it “anticipates cyber actors will exploit increased use of virtual environments … as a result of the COVID-19 pandemic.”
The PC Magazine website reported Zoom harassment campaigns were being organized openly online, and some participants are sharing recordings of their Zoom-bombing runs on YouTube and TikTok or livestreaming them on Twitch.
“We are deeply upset to hear about the incidents involving this type of attack,” a Zoom spokesperson told the Washington Examiner. “We take the security of Zoom meetings seriously,” the representative said, adding the company “strongly encouraged” Zoom users to make full use of the app’s privacy settings.
The FBI has warned users not to make meetings of classrooms “public” and advised against sharing links to a teleconference or classroom.
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform,” Yuan wrote, adding that “dedicated journalists and security researchers have also helped to identify pre-existing ones.”
An analysis by ex-National Security Agency hacker Patrick Wardle, which was reported by TechCrunch, found that a cyberattacker who gains low-level access to a person’s computer could exploit Zoom’s “shady” software setup to inject malware to gain high-level access to the computer or could use Zoom’s webcam and microphone features to inject malicious code to gain access automatically to all of Zoom’s rights.
The tech-focused Bleeping Computer site reported that Zoom’s chat feature for Windows is vulnerable to having its links manipulated to allow hackers to steal passwords from those who click on them.
A Zoom spokesperson admitted to the Intercept that “currently, it is not possible to enable [end-to-end] encryption for Zoom video meetings.”
The New York Times reported a “data-mining feature on Zoom” that “allowed some participants to surreptitiously access LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.”
On Wednesday, Zoom said it was “acknowledging and apologizing for the confusion” around its encryption, removed the “attendee attention tracker feature” from the app, released “fixes” for issues raised by Wardle, unveiled a “fix” for the UNC link issue, and removed the LinkedIn app “after identifying unnecessary data disclosure.”
Last week, Motherboard reported “the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don’t have a Facebook account.” Zoom announced that “we will be removing the Facebook” tracking software, adding, “We sincerely apologize for this oversight.”
Earlier this week, the New York Times reported that New York Attorney General Letitia James sent a letter to Zoom, noting vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams” and asking for answers about “whether Zoom has undertaken a broader review of its security practices.”
A spokesperson for the office told the Washington Examiner the attorney general was working to “ensure the company is taking appropriate steps to ensure users’ privacy and security.”
