![]() not Gmail) or unknown providers outside of the U.S. This is definitive unintended leakage of personal information, though only contained to personal users on low profile email providers (i.e. Zoom collated users with the same domain name, allowing users to view the names and email address of other private users. Leaking of Zoom account email addresses through Company Directory feature Zoom allows meetings using a static ID, and no password, however provides several options to secure a meeting including random IDs, passwords, waiting room and authentication profiles that have often not been utilised correctly. Zoom’s platform is open and insecure, allowing anonymous guests to join calls on a whim and take over the meeting. These claims appear to be suspected based on traffic analysis, though the use of custom cryptography protocol confirmed. Zoom’s use of a custom cryptography protocol is poorly implemented, and encryption keys have been detected originating from China. Zoom’s misuse of it was in poor faith, especially given they do not publish transparency reports from data cess by governments and law enforcement. This is a fair portrayal the term end-to-end encryption is well known and commonly accepted. Zoom used the term to refer to HTTPS/TLS, using the term incorrectly. only the participants can view and decrypt meeting contents. Zoom misled its users to believe that meetings were end-to-end encrypted, i.e. Non industry-standard us of the term 'End to end encryption' They have since changed their policy to clarify no data is used for advertising, and removed the Facebook tracking from their iOS app. Zoom’s original privacy policy language was not clear and had been interpreted maliciously. Zoom’s privacy policy allowed them to use personal video and call content for advertising, and hid their tracking codes in their iOS app. Privacy concerns related to Facebook tracking and personal information for marketing purposes However, this appears to be an isolated case. While the media sensationalises somewhat, Zoom’s trickery and software development practices are not a good thing. Zoom is a shady and untrustworthy company that will do anything it can, even dangerous software development practices. Installation of 'malware-like' Zoom web server on macOS machines The main criticisms aimed at Zoom and actual interpretation are shown below in table. For all the security findings of Zoom’s platform, no vulnerabilities have yet been disclosed. There are however, some criticisms aimed at Zoom for which it should not bear the brunt, including unauthorised attendees finding and joining meetings that have no password or access control, video recordings left publicly exposed on the web in separate storage services, and the availability of hundreds of thousands of Zoom user credentials available on the dark web, itself a result seemingly apparent of credential stuffing and user password re-use. From its ‘malware-like’ software development practices, alarming privacy policy, non-disclosure of device tracking in iOS apps and non-industry standard use of the term ‘end-to-end encryption’, Zoom has broken the trust of its users several times over. Zoom has without a doubt employed some questionable and shady tactics to remain the most frictionless web conferencing software. Media headlines - whilst attention (click) grabbing - in some cases barely use the facts as inspiration. This growth has come with heavy scrutiny of Zoom’s security posture organisations and government agencies have seen their private Zoom meetings infiltrated by unauthorised attendees, and enterprise IT teams tasked with hastily standing up their whole organisation for remote work. The COVID-19 pandemic, and the ever-increasing number of employees shifting to remote work has seen explosive growth for Zoom’s platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |