Video chats and video conferencing are the hot things in today’s locked down world. Services old and new have risen to the challenge of connecting people even when they can’t meet face to face physically. Not all of those products, however, can be considered foolproof and trustworthy, no matter how popular they are. In fact, one that has become the most popular is now also the most notorious as the direct and indirect results of Zoom’s lax security continue to pile up.
In just a span of three months, Zoom’s users grew from 10 million to 200 million because of the sudden need to hold virtual meetings and lessons. Despite many available video conferencing services, including Microsoft Teams and Skype, Zoom won the market share because of its extreme ease of use. That convenience, however, has come at a price and its users are now learning that the hard way.
A new report from The Washington Post reveals how easy it is to discover recorded Zoom videos that users presumed were at least protected from unauthorized eyes. To be clear, this vulnerability only affects Zoom videos saved to third-party cloud storage and not those saved in Zoom itself. The problem, however, is that Zoom, as usual, made it too easy for users to record and upload recordings without giving much thought to the security implications nor its consequences.
Zoom hosts can, for example, easily record videos even without participants’ explicit consent though the latter will at least receive a notification if they’re paying attention. That recording can also be uploaded to cloud storage other than Zoom with an easy-to-discover naming pattern. Add that to the fact that users themselves forget to protect their public cloud storage or files and you’ve got a recipe for privacy disasters.
Videos exposed to the public have included anything from public events like weddings to intimate moments between participants to confidential business meetings. Something as simple as making video filenames unique could have gone a long way in hampering attempts at discovering these videos. Of course, when you’re a company with little to no security common sense, security best practices are probably non-existent in the first place.