Zoom found leaking personal user data, could also facilitate stealing your Windows sign-in...

Humza

Posts: 639   +158
Staff member

Zoom's sky-rocketing popularity seems to be a mixed blessing for the company, as yet another privacy issue crept up this week, involving leakage of personal information of thousands of users by exposing their email address and photo to strangers on the platform and potentially enabling the latter to initiate unwanted video calls.

Also read: Zoom skyrockets to 200 million users, puts 90-day hold on features to address security flaws

The problem this time isn't confined to Zoom's recently fixed iOS app, but as Vice notes, is related to how the platform's "Company Directory" setting is configured. While users who've signed up with the same company email domain are grouped together to make searches and calls easier with colleagues, some people who used their private email to join Zoom have had thousands of strangers added to their contacts list, all of whom Zoom perceives are working under the same organization as they have the same domain name.

"If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them," said Barend Gehrels, a Dutch user who had 995 strangers added to his contacts list after signing up with an email domain from his local ISP.

Another user experiencing the same issue notified their ISP, who couldn't rectify it on their end and asked the complainant to contact Zoom. The company officially exempts the aforementioned public domains from a users' Company Directory but notes that they need to submit a request for manually blacklisting non-standard domains.

Zoom also blacklisted the specific domains highlighted by Vice in their report, but it remains to be seen how widespread the issue is for the millions of new users who've recently hopped on the platform for conducting remote meetings, taking online classes, and keeping in touch with their families.

Update: In addition to the aforementioned problem, it's been documented (as reported by Bleeping Computer) that because of how Zoom handles URLs in group chats, any URL you send/receive is converted into a hyperlink. However, this could be used maliciously, if instead of sending a web link, you receive a UNC path (Universal Naming Convention), this will also be converted to a link.

UNC paths are typically used for networking and file sharing (for example, \\127.0.0.1\C$\windows\system32\calc.exe). An unsuspecting user could click a malicious link, which would make Windows try to connect to a remote host using the Server Message Block (SMB) network file-sharing protocol. By default, Windows will send the user's login name and their NTLM password hash, which can be easily cracked.

Zoom has been contacted so they can issue a fix, so the chat client does not convert UNC paths into clickable links. There are also some workarounds available, but in short, don't go clicking any links you are sent via chat, let alone if it's not a trusted contact.

Permalink to story.

 

QuantumPhysics

Posts: 2,700   +2,349
I honestly don’t trust any of these video messaging services. My family tried to use Zoom the other day for a video conference and I found something else to do. Not a day goes by and then I find out this.
 
  • Like
Reactions: Capaill

Uncle Al

Posts: 6,950   +5,232
And in todays news it was exposed that ZOOM was dumping a lot of personal data to Fakebook ... once announced ZOOM claims they have changed that policy .... now about that Brooklyn bridge I have for sale .....
 

Capaill

Posts: 1,191   +726
For the FB data, it was part of the SDK that FB provided to allow you to log into Zoom with your FB account. So that is kind of understandable that the SDK would then start transferring data to FB. Not entirely Zoom's fault, but they have removed the SDK now.

On "hacking" into videoconferences, it's honestly as easy as trying random 9-digit numbers and see what you get. Zoom advise people to set a password for the session, but most people wouldn't be aware of the need for that.

Zoom does not use end-to-end encryption and have stated that they will not use it.

They boast that over 2000 companies have checked their security, yet researchers are easily finding loopholes within the last week.

Zoom provide no information on what data they store or what 3rd parties they send the data to.

Zoom has full access to all saved videos.

Boris Johnson was recently criticised for posting a picture of his Zoom session online with the session number clearly visible. But he was using a password. Hopefully something better than Downing10.


I'm not a fan of Zoom. My company requires that I use it but I prefer to use Skype. Zoom was developed by a Chinese man, who had earlier developed Webex. He became a multi-billionaire when that was sold to Cisco.
The most telling feature for me is that you can ring a number (sometimes toll-free) to join an ongoing session, without using the App. That sounds good. There are 90 countries supported with that. But none of them are in Europe. My closest is probably Morocco. Africa and Asia are well covered. That tells me that this Zoom product is not fit for purpose within Europe, and that even the US should consider blocking it, at least until the company strengthens its security and transparency. Until then I'm sticking with Microsoft (Teams, Skype).
 

Soulburn74

Posts: 80   +36
I've also read elsewhere that a research company found another security risk with the waiting room feature. See Article regarding Waiting Room Risk They have not disclosed what that risk is to try to keep it from being used until Zoom fixes it (they have notified Zoom of this risk). Its a shame they are having so much trouble with this app. Aside from all the security risks with not quite stellar encrytion techniques to possible manipulation by foreign entities, (from a non professional usage, for covid reasons me and my friends have been getting together to recreate bar nights) the app itself works great. Its the easiest to use by people who aren't tech savvy, install an app, click on a link, you are in) that I've found so far being the one to set these up with my friends many who are very technically UN-inclined. If we weren't doing anything other than doing shots and shooting the breeze, I would switch to something else.........