The rise and fall of Zoom video calling software in a matter of months has reaffirmed the fact that one can be the Internet’s poster boy one minute, and it takes no time at all to fall from grace if you are seen handling data carelessly. What’s worse is providing lip-service but not being able to deliver on the promises made. The COVID-19 pandemic has forced millions to stay at home, and in a previous article, we have explained the meteoric rise of Zoom Video Calling software.
In March, we told you that Zoom Video Communications has become the ‘talk of the town’ putting rivals such as Cisco (CSCO)-owned WebEx, Alphabet’s (GOOGL) Google Hangouts, and Microsoft’s (MSFT) Teams behind it in the Apple Store and Google Play store.
Come April, the story has taken a 180-degree turn and Zoom’s reputation has tanked, probably faster than it soared. The rising number of users opened a can of worms for Zoom’s privacy features. Zoom was getting banned from one workplace to another. Schools in New York started asking teachers to move away from Zoom to other Video Conferencing (VC) service providers. Shortly afterward, Taiwan banned government employees from using Zoom after the company admitted to lapses in its software. Thereafter, Buzzfeed news reported that Google banned Zoom asking the software to be removed from company-provided devices as Zoom did not meet its security standards. The German foreign ministry soon asked its employees to stop using the VC (Video Conferencing) software after concluding that Zoom’s software had “critical” weaknesses.
Even Switzerland asked government officials to use Microsoft Teams, not Zoom, as a fallback option if its main provider Skype for Business becomes overloaded. Elon Musk’s SpaceX too banned Zoom from its employee’s devices owing to ‘significant privacy and security concerns.’
The privacy concerns mounted so much that the New York Attorney General has sought a report from the company for its weak security and data protection practices. The New York Attorney General’s office is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network,” The New York Times reported.
Adding insult to injury, Zoom has been slapped with a class-action lawsuit by a shareholder in a San Francisco federal court. The shareholder has accused Zoom of failing to disclose its security and privacy flaws due to which he lost money after the firm’s stock prices fell in the stock market. The lawsuit has been filed under the California’s new data protection law– CCPA (California Consumer Privacy Act) after it was found that the app sent user data to Facebook without consent. Zoom’s share prices had skyrocketed in recent weeks after it became the preferred VC (Video Conferencing) tool in the US and Europe.
In the course of this article, we shall see each of these security loopholes that put data worth billions across the globe to risk.
Unauthorized sharing of data with Facebook
In early 2018, it was revealed that Cambridge Analytica harvested millions of Facebook users’ data without their explicit consent and used it for political advertising purposes.
The fiasco taught us all the perils of using Facebook login data to access other sites, else what you are doing is most likely to be found on Facebook’s servers. Zoom’s iOS app was found secretly sending user data to Facebook. The iOS version sent user data like device model number, city, network service provider, and a unique advertiser identifier created by the user’s handset to Facebook without the user consent. This glaring issue was brought to the IT community’s notice by Motherboard. This Web server bypassed Apple’s security update in the Safari browser, which expected users to click Allow in the pop-up each time a URL with an application-based link was loaded, or the user got redirected to such a URL. Instead of the pop-up, the redirection got directly captured by Zoom’s Web server, which further launched the Zoom app.
Days later, Zoom pushed an update that tried to remove the code, which sent the message out. But by then, the damage was done. Apple went ahead and added the Web server to its malicious software list. Apple then distributed the removal code silently to the macOS, which uninstalled the Zoom Web server.
Zoom’s response to the alarming incident was, suffice to say, inadequate and lacked soul. Zoom published a lengthy blog saying, “Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook Software Development Kits (SDK) in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK (Software Development Kit) was collecting unnecessary device data.” Zoom’s action had no vision on fixing the loophole for its users who were still using the previous version. Zoom chose not to push the app update on the Apple store, thus making users of the earlier version susceptible to unauthorized data sharing with Facebook unless they were proactive.
In Part-2 of this blog, we bust myths about Zoom’s security and tell you more about ‘Zoom-bombing’ that has turned into a nuisance of global proportions.