Zoom’s CEO Steps up, Promises to Fix Major Security and Privacy Flaws

With the majority of the world’s population now working and learning from home, the need for video conferencing apps has spiked dramatically, and the leader among these apps has become Zoom due to its popularity with many medium to large sized businesses, and the fact that it has a number of practical advantages over consumer solutions like FaceTime when it comes to hosting video chats with larger groups, since that’s essentially what it was designed to do.

However, as Zoom has become even more popular, many experts have discovered that it’s also been host to a collection of serious security and privacy issues, some of which are minor when taken by themselves, but get pretty serious when added up together.

While some of these are simply a function of Zoom being primarily intended for businesses — like a feature where it creates a “company directory” to share contact Information for everybody on the same email domain — others stem from poor design decisions on the part of Zoom, which has shown a clear determination to put ease of use ahead of privacy and security.

Last year, we saw this with a serious flaw in the Zoom Mac app that could allow hackers to eavesdrop via a MacBook camera simply by joining the user to a video call without them even knowing it. To make matters worse, uninstall Zoom left behind components that still made a user’s Mac vulnerable to the exploit. While Apple intervened and patched the flaw, and Zoom stepped back from the more invasive installation, it still left a bad taste for a lot of users.

Now over the past few weeks, more flaws have been resurfacing, including the fact that Zoom’s installer behaves like malware, using a rather shady and potentially dangerous technique to install the app, all for the sake of saving the user one or two clicks and the typing-in of their password, along with a bug that could allow Zoom to steal Windows passwords, and the phenomenon of “Zoombombing” which could allow bad actors to jump in and interrupt random conferences, leading to some pretty disturbing situations.

Zoom’s Response

Amid such a backlash at a time when its important for users to be able to depend upon and trust their video conferencing software, it looks like Zoom is stepping up and doing the right thing, and it’s not wasting any time in doing so.

Zoom CEO Eric S. Yuan published a message to Zoom users on Wednesday, noting that usage of Zoom “has ballooned overnight” with it now being used by over 90,000 schools across 20 countries, and has grown from 10 million daily users at the end of December to over 200 million by March. Yuan also notes that Zoom feels an “immense responsibility” to its users, and acknowledges that it’s failed to live up the necessary safety standards that many should have a right to expect from it.

We recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

Eric S. Yuan, Zoom CEO

Yuan goes on to explain that Zoom was “built primarily for enterprise customers,” many of whom were expected to have full IT support to manage and deploy the Zoom client securely and safely, and that the company didn’t have the foresight to expect that so many people would suddenly be using the app “in a myriad of unexpected ways.”

As a result, Yuan says, Zoom is working to expand its training and support resources for users, but more importantly it’s also actively working to address many of the other concerns that have been raised over the past few weeks. While Zoom changed the defaults for educators to prevent “Zoombombing” for everyone else it’s offering more resources to educate users about how to adjust their settings to prevent this from happening, and it’s also taken actions to remove unwanted Facebook data harvesting form its iOS client, updated its privacy policy to be more transparent, and come clean about its misleading use of the term end-to-end encryption.

Yuan also said that the company is putting a 30-day freeze on the development of new features in Zoom to make sure that every possible security and privacy bug is fixed, and that it will be conducting a “comprehensive review” with outside security experts, along with improving its bug bounty program. Yuan has also committed to begin hosting a weekly webinar to keep users updated on the company’s progress.

Fixes Are Already Rolling Out

This isn’t just talk either. Yuan is putting his money where his mouth is, and Zoom has already fixed its shady macOS installer, removed a feature that could scrape information from users’ LinkedIn profiles without their consent, and patched the Windows vulnerability.

As The Verge points out, Yuan’s response is a welcome change in tone for a company that up until recently was somewhat dismissive of critics and slow to address security flaws. When last year’s Mac vulnerability was discovered, Zoom made excuses for why it had chosen to implement its client in such a dangerous way, and took so long to fix the problem that Apple had to intervene with a patch that would remove the hidden web server that Zoom was surreptitiously dropping onto every user’s Mac.

Still, there’s a lot of work to be done. Most importantly, Zoom hasn’t taken any steps to actively prevent Zoombombing outside of educational institutions, but rather merely to explain to users how they can disable the feature themselves — something that we’d strongly recommend you do before you host your next meeting — you can find Zoom’s instructions here.

It’s important to keep in mind that there was never any evidence that Zoom itself did any of this maliciously, but the company’s overriding priority seemed to have been to make using Zoom as frictionless as possible, making whatever compromises were necessary to save even one additional click for users who were invited to join Zoom meetings. To be fair, one of the reasons Zoom has risen to popularity is that it is ridiculously easy for a new user to get up and running with the native Zoom client, but the price that we’ve had to pay in order to have this seamless user experience has been far too high, and it seems that Zoom itself has finally conceded this point, and is taking steps to do better.