Zoom says it will fix security holes that video hackers have exploited
Zoom Video Communications has disabled some of its user features so staffers can fix security flaws that have led to waves of hackers conducting "Zoom-bombing" attacks on the video conferencing platform.
CEO Eric Yuan said Zoom engineers will spend the next 90 days focused on fixes as part of the company's larger goal to restore trust in the millions of people who using the conferencing service worldwide as they work from home amid shelter-in-place orders from public health authorities fighting the spread of the novel coronavirus.
The plan comes just days after a California man filed a lawsuit against Zoom, alleging the company illegally sold user data to Facebook. Zoom's founder has since admitted security holes that allowed for an influx of Zoom-bombing were a mistake.
"We recognize that we have fallen short of the community's – and our own – privacy and security expectations," Yuan said in a blog post Wednesday. "For that, I am deeply sorry."
Zoom-bombing happens when a hacker joins a video conference and posts pornographic or hate images. Two Massachusetts schools were Zoom-bomb victims last month. The National Association of Real Estate Brokers held a 200-person Zoom conference on Wednesday that was Zoom-bombed. On the same day, the Laguna Beach City Council in California had its meeting Zoom-bombed with pornography. The incidents have prompted the FBI to issue warnings about potential Zoom-bombing.
Aside from the Zoom lawsuit, New York Attorney General Letitia James has asked Zoom to provide specifics about how the company will safeguard users' data going forward. Connecticut Attorney General William Tong said Friday many states are looking into Zoom's privacy practices.
"While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices," James' office said in a letter to Zoom this week.
Some of the features halted include the attendee attention-tracker feature and the LinkedIn Sales Navigator. The attention tracker gave the presenter a notification when a participant wasn't looking at the material on the Zoom screen. The LinkedIn feature gave some Zoom users in a video conference the option to see participants' LinkedIn profile. Yuan's blog post did not say if Zoom will bring these back after the 90 days or if they're gone permanently.
While engineers work on security issues, Yuan said he will host a Wednesday webinar starting next week with updates on the company's progress. Zoom will ultimately release a transparency report that "details information related to requests for data, records, or content," Yuan said.
Zoom has been thrust into the national spotlight in recent weeks as more Americans use it to take classes or discuss work with fellow employees. In December, Zoom had about 10 million daily participants and that number grew to 200 million daily in March, Yuan said. More than 20,000 schools across 20 countries use Zoom for delivering education.
Publicly traded Zoom's stock price was around $122 a share on Thursday, or double January's price, although down from a late-March high of around $160 a share
Zoom has conducted webinars so new users can learn the platform's functionality. Zoom has also created a K-12 education privacy policy and detailed how users can prevent Zoom-bombing.
Zoom officials haven't said publicly where their security weaknesses lie, but cybersecurity experts said they believe the issue is that video conferences are not end-to-end encrypted. Without end-to-end encryption, it's easier for hackers to know when a video conference is taking place and easier for them to join it and cause mayhem. A Zoom spokesperson told The Intercept that it's not possible to do end-to-end encryption on Zoom meetings.
Yuan said Zoom was initially created for video conferencing at large organizations like banks, universities, government agencies and healthcare companies, all places that would have a dedicated IT staff tasked with safeguarding against hackers.
"We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," Yuan said.