Zoom is leaking private information including email addresses and users photos, according to a report by VICE. The flaws in the video call app, which has enjoyed a surge in popularity following the implementation of strict social distancing rules in the UK, Europe and the United States, could allow some users to initiate video calls with strangers, the shocking new report claims.
Zoom, which is now being used by Prime Minister Boris Johnson to conduct cabinet and COBRA meeting from self-isolation after testing positive for COVID-19 – which has already infected some 25,000 in the UK and killed more than 1,800 people, typically groups contacts with the same email domain into a “Company Directory”. This is designed to make it easier to quickly search for a specific person from within the same organisation. You’ll be able to see their photo and email, then kickstart a video call with them.
That makes sense for a company that uses Zoom to keep the business connected.
However, the video call app has been grouping together people who signed up for the service with a personal email – like Gmail, VICE has reported. That means some users might be able to see the personal email addresses and photos of people with their same domain in their Company Directory – as Zoom mistakenly believes the personal email is a shared company address.
It’s unclear how widespread the problem is. Or how many personal email addresses are impacted by the problem.
An affected user shared a screenshot with VICE that shows 995 accounts in the Company Directory – all of these are strangers who happen to use the same email address domain. This flaw means the user could see the email address, photo and launch into a video call with any of these users at the touch of a button.
According to VICE, the problem was identified with the email domains xs4all.nl, dds.nl, and quicknet.nl, which are all popular email services from Dutch internet service providers. Zoom said it has now blacklisted those domains after VICE brought the problem with these providers to its attention.
“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson told VICE in a statement in the article.
Zoom has set-up a dedicated support page where users can request to have domains blacklisted. Zoom doesn’t group “publicly used domains including gmail.com, yahoo.com, hotmail.com, etc,” according to the support documentation. However, it appears that less common domains can still mistakenly be grouped together.
Zoom has had a patchy track record when it comes to the security of its users – something that has been thrown into the spotlight again following the spike in popularity as friends, colleagues and family look for ways to communicate online during the strict lockdown procedures in place across the globe right now.
Last July, researchers discovered that malicious websites could launch a Zoom video call on macOS machines without gaining permission from the user – letting people spy through the web-cam. The company quickly patched its software.
However, Check Point Research published a report back in January that highlighted another flaw in the video call service that could allow hackers to eavesdrop on your calls without you ever knowing. Crucially, Zoom video and audio calls aren’t end-to-end encrypted, unlike those made on WhatsApp or FaceTime, for example. This means the calls could be intercepted by hackers.
Published at Wed, 01 Apr 2020 11:35:00 +0000