Zooming In: “Zoom’s” Significant Privacy and Data Security Risks brought to Light Again (and Again)

By Cameron Abbott, Warwick Andersen, Rob Pulham, Allison Wallace and Max Evans

It hasn’t even been 10 days since our previous Blog on Zoom, which highlighted a number of privacy and data security issues prevalent in the use of the popular telecommunications software, and already further privacy issues have been alleged. Let’s put these allegations under the magnifying glass:

Disclosure to Facebook: Even If You don’t have an Account

Firstly, Vice reports that the iOS version of the Zoom app transfers analytics data to Facebook, even if Zoom users don’t have a Facebook account, without disclosing as such in its Privacy Policy.

According to the article, upon downloading and opening the App, Zoom connects to Facebook’s graph application programming interface, disclosing information such as the model of the users’ device, time zone and city they are connecting from, which phone carrier they are using and a unique advertiser identifier created by the device from which entities can use to target advertisements.

Nothing in Zoom’s Privacy Policy mentions anything about sending data of Zoom users who don’t have a Facebook account to Facebook, merely mentioning that Zoom may collect Facebook profile information when an individual uses Facebook to log in to Zoom or to create a Zoom account. 

Windows flaw enables Credentials to be Leaked

Additionally, Zoom’s Windows desktop client is vulnerable to injection flaws in how the app handles identifier paths, which can enable hackers to run commands and install malware on their target’s computers, according to an article from IT News.

The article states that an attacker can input a malicious or fraudulent link into the Zoom chat on Windows, and should an individual click on the relevant link, it will expose their Windows username, domain name or computer name and a hashed version of their windows password. Following this, an attacker can replay those hashed password values and access services such as Outlook and SharePoint. Furthermore, these links can be tailored to trigger Windows remote code execution to leak credentials without providing any warning to the User.

Weak encryptions and key handling

Technical analysis of Zoom’s encryption practices has also discovered serious weaknesses and questionable practices, according to a further article from IT News.

According to the article, Zoom uses a single Advanced Encryption Standard (“AES”) encryption key that is shared amongst all meeting participants and defaults to a simple Electronic Codebook which preserves patterns in the input and therefore enables capturers of the AES to decrypt video and audio from meetings.

This is compounded as Zoom intermittently discloses encryption keys through servers which appear to be located in China, where it owns three companies with at least 700 developers in the country. The article suggests that this could make Zoom susceptible to pressure from Chinese authorities. These issues combined have led cybersecurity experts to advise that governments and businesses worried about espionage and cybercrime, healthcare providers, activists, lawyers and journalists should steer away from using Zoom in professional circumstances.

We will keep you updated of any further details, but as noted previously, advise that businesses should monitor closely how their employees are communicating with each other in remote work situations and exercise the above caution in the use of services such as Zoom.