PSA: Zoom is not secure, leaking emails, and other issues

[captive]

Since lots of people are all using Zoom now more and more security focused people have focused their attention on Zoom.

Turns out:
its not end to end encrypted
its adding people to the same "tenant" i guess if you sign up with @gmail.com or @outlook.com, meaning everyone can see everyone else with those public email address services
they were sending zoom users data to facebook
uses MacOs malware techniques to install

and more

Zoom faces a privacy and security backlash as it surges in popularity

Concerns are growing over Zoom’s privacy and security policies

www.theverge.com

Zoom is Leaking Peoples' Email Addresses and Photos to Strangers

For at least a few thousand people, Zoom has treated their personal email addresses as if they all belong to the same company, letting them video call each other.

www.vice.com

Maybe we shouldn't use Zoom after all

After a year of security and privacy scandals, should we trust Zoom to keep our video calls private?

techcrunch.com

'Zoom-Bombing' Hijacks Online Class Meetings In Massachusetts, FBI Warns

Make sure uninvited guests don't crash your next video conference.

boston.cbslocal.com

sucks because i even recommended it to my wife who's a psychologist and using it to do therapy sessions with patients.

 

[Walter White Walker]

My kids started school from home on Monday. Some teachers wanted to use Zoom but the school district quickly nixed that, I'm assuming due to security concerns.

 

[NealMcCauley]

I got an email from the chancellor at the uni I work for that someone "hacked" into a high level zoom meeting and started posting racist material.

 

[CitizenVectron]

I've seen this, but I've also seen the counter argument that lots of cloud services do this (in terms of generic tracking, like Google, Facebook, etc). I've also read that if you want to be able to save a video so others (who missed it) can watch later, you aren't going to have end-to-end encryption.

Not sure which side is right, I don't know a lot about it.

 

[nsilvias]

Chicago Politicians' Zoom Call Interrupted By Porn-Streaming Hijackers

PILSEN — A virtual press conference hosted by Chicago politicians was cut short after someone hijacked the conference call and started streaming

blockclubchicago.org

 

[evrythngwastakn]

Yup. Our school district is crazy about it (except students can't use it because it doesn't meet privacy requirements yet we staff are forced to use it). But Facebook, Google, and those front door cameras everyone has have proven people give less than zero fucks about privacy as long as it's cheap/free.

 

[OrakioRob]

Thanks for sharing the info, op!

My kids started school from home on Monday. Some teachers wanted to use Zoom but the school district quickly nixed that, I'm assuming due to security concerns.

Click to shrink...

Same here, but the school is still using it 0_0

 

[Shodan14]

Should have never left discord.

 

[entremet]

Chicago Politicians' Zoom Call Interrupted By Porn-Streaming Hijackers

PILSEN — A virtual press conference hosted by Chicago politicians was cut short after someone hijacked the conference call and started streaming

blockclubchicago.org

Click to shrink...

Why are ppl so awful? Troll culture sucks so much.

 

[Komo]

Legit not surprised facebook somehow exploited into this

My kids started school from home on Monday. Some teachers wanted to use Zoom but the school district quickly nixed that, I'm assuming due to security concerns.

Click to shrink...

Discord is like millions time more secure then anything using facebook SDK.

Sadly this is basically ruined their rep now.

 

[Mariolee]

Why are ppl so awful? Troll culture sucks so much.

Click to shrink...

For the lulz.

It's a damn shame.

 

[Shodan14]

Legit not surprised facebook somehow exploited into this

Discord is like millions time more secure then anything using facebook SDK.

Sadly this is basically ruined their rep now.

Click to shrink...

I'd expect anyone with an IT department to be using Teams at the very least..

 

[Wrexis]

That tenant issue is really dumb. I mean it sounds great in theory, anyone from a business with an email of @companyname.com gets linked together makes total sense, but you don't do that for public domains...

 

[Deleted member 42472]

My kids started school from home on Monday. Some teachers wanted to use Zoom but the school district quickly nixed that, I'm assuming due to security concerns.

Click to shrink...

Almost assuredly nothing to do with security and everything to do with the district having picked a solution and paid for support (or at least "training") for a different solution.
Could also have been zoom's licensing model. For consumers most of these are free. For orgs there are a lot more constraints

 

[Komo]

I'd expect anyone with an IT department to be using Teams at the very least..

Click to shrink...

I mean as much as I like teams it's seriously useless for things like this. It's just not well built at all.

 

[diakyu]

Yeah I brought up all this to one of my professors and she decided to change the way we were gonna do online teaching lol

 

[Ghost Rider]

I'm a teacher. Had plenty of fights with colleagues about not using.

 

[GiantEnemyCrab]

b-b-but it's so convenient!

 

[Kyrios]

Yeesh, better tell my sister about this.

 

[Ambitious]

I've seen this, but I've also seen the counter argument that all cloud services do this (in terms of generic tracking, like Google, Facebook, MS, etc). If you want to be able to save a video so others (who missed it) can watch later, you aren't going to have end-to-end encryption.

Not sure which side is right.

Click to shrink...

And yet, they claim that they have it.

 

[Palette Swap]

This thread was eye opening :

 

[The Albatross]

Zoom is the only platform that our public school system approved with their privacy policy. I think it's more than likely that zoom is the only platform that the school system asked their general counsel to look into, more so out of laziness than actually hunting for alternatives.

But, w/e. I used to use it with clients because it was the easiest screenshare to get going and no login required for them.

It's kinda funny because our school system uses Google Classroom, but they're encouraging teachers to use Zoom for their meetups. I don't know if Google Classroom comes bundled with Hangouts Meet or not, or any of Google's other video platforms.

This thread was eye opening :

Click to shrink...

Zoom has shady privacy agreement and installation methods but that doesn't make it malware, that's a dumb conclusion or misuse of the word "malware"

Also a lot of the reason my clients have used Zoom in the past was specifically because of this ... "Click a link and it just works!" "No headaches like with Citrix!" :D

 

[Chopchop]

That sucks. What's a good video call service, then?

Why are ppl so awful? Troll culture sucks so much.

Click to shrink...

I never understood troll culture. It's such bottom of the barrel behavior.

"Hey, I'm too edgy to be a decent person but I'm starved for attention and I hate myself. So instead of working to make myself better, I'm going to roll with the self-hate and work hard to make as many people hate me as possible! Getting attention that way makes me cool, right? right????" It only gets you approval from people who are just as miserable and shitty.

 

[LProtagonist]

Our school decided not to use Google Meet, as it's easy for people to get into that weren't invited. Zoom apparently has protections against that, but there's all these issues too...

 

[Guzim]

I am a teacher, and I've been using Google Meet to talk to colleagues. I don't even think Zoom was going to be used, and reading those articles, I am glad we haven't used it.

 

[Deepwater]

I mean as much as I like teams it's seriously useless for things like this. It's just not well built at all.

Click to shrink...

Every Teams call I've had within my organization has been by far the best among the available solutions (the others being Zoom and Webex). Call quality has consistently been te best in my experience.

are you referring to handling large conference calls with 6+ people?

 

[captive]

I got an email from the chancellor at the uni I work for that someone "hacked" into a high level zoom meeting and started posting racist material.

Click to shrink...

yea its part of the "zoombombing" thing. Apparently Zooms default is that if you have the URL for the link you can get in. Instead setting the default to have a pin or key code to get in.

I've seen this, but I've also seen the counter argument that all cloud services do this (in terms of generic tracking, like Google, Facebook, MS, etc). If you want to be able to save a video so others (who missed it) can watch later, you aren't going to have end-to-end encryption.

Not sure which side is right.

Click to shrink...

um please don't spread FUD like this. MS is very secure. And they care about security a lot. Teams data is encrypted in transit and at rest.

That tenant issue is really dumb. I mean it sounds great in theory, anyone from a business with an email of @companyname.com gets linked together makes total sense, but you don't do that for public domains...

Click to shrink...

yea seems like a really easy thing to prevent.

 

[captive]

I mean as much as I like teams it's seriously useless for things like this. It's just not well built at all.

Click to shrink...

this simply isn't true, i attended a conference in march where we regularly had 150-250 people on with someone screen sharing and experience no issues.

At the same time MS did a all hands meeting for the entire company on teams.

 

[Mivey]

Zoom seems fine for a smaller scale corporate solution (in the sense of few millions of users), it wasn't meant to scale so quickly and it's clear in its design that they don't expected it to ever be used in teaching or other privacy critical areas.
From a technical perspective, though, it's really remarkable how well it manages despite the probably insane increase in users.

To expand on this point: there are some rudimentary features to lock things down, with passwords and such, but they are not turned on by default. I assume in a corporation using it, those things could be handled by the IT staff, but you can't expect schools and other organizations with zero experience and preparation to handle this.

The data abuse is problematic, but to be fair, I doubt Skype is much better about this. It's good to be more sensitive on these issues going forward, though.

 

[finalflame]

If you want enterprise grade security, Zoom ain't it. It's a startup, and has all the problems of a small team trying to scale too fast.

 

[entremet]

Zoom seems fine for a smaller scale corporate solution (in the sense of few millions of users), it wasn't meant to scale so quickly and it's clear in its design that they don't expected it to ever be used in teaching or other privacy critical areas.
Like, there are some rudimentary features to lock things down, with passwords and such, but they are not turned on by default. I assume in a corporation using it, those things could be handled by the IT staff, but you can't expect schools and other organizations with zero experience and preparation to handle this.

The data abuse is problematic, but to be fair, I doubt Skype is much better about this. It's good to be more sensitive on these issues going forward, though.

Click to shrink...

Yep. it's the reason it's popular with startups and smaller companies. Bigger companies go with Webex.

If you want enterprise grade security, Zoom ain't it. It's a startup.

Click to shrink...

They're publically traded, tho? Huge office and such.

 

[DickGrayson]

East of Use usually = Ease of Access

So, like, duh.

 

[Kittens McMittens]

So, I got an email from a lecturer saying it would be in Zoom. I clicked on the link and it took me to a web page which brought up a system popup saying 'open in zoom.us', which i clicked. All of a sudden the application just opened.

Like, I have no memory if installing it on my Mac. The file creation date is from back in Dec 2019, but I can't find any evidence I used it before today.

 

[Rosebud]

So that's why my professor changed to Google Meet

 

[Deepwater]

So, I got an email from a lecturer saying it would be in Zoom. I clicked on the link and it took me to a web page which brought up a system popup saying 'open in zoom.us', which i clicked. All of a sudden the application just opened.

Like, I have no memory if installing it on my Mac. The file creation date is from back in Dec 2019, but I can't find any evidence I used it before today.

Click to shrink...

Remove Zoom From Your Mac Right Now

The Zoom video conferencing app contains two big security issues for Mac users. First, uninstalling the app the regular way doesn’t actually remove it from your system; instead, by installing Zoom, you’ve actually installed a persistent web server on your system that can be used to reinstall the...

lifehacker.com

 

[captive]

Zoom seems fine for a smaller scale corporate solution (in the sense of few millions of users), it wasn't meant to scale so quickly and it's clear in its design that they don't expected it to ever be used in teaching or other privacy critical areas.
From a technical perspective, though, it's really remarkable how well it manages despite the probably insane increase in users.

To expand on this point: there are some rudimentary features to lock things down, with passwords and such, but they are not turned on by default. I assume in a corporation using it, those things could be handled by the IT staff, but you can't expect schools and other organizations with zero experience and preparation to handle this.

The data abuse is problematic, but to be fair, I doubt Skype is much better about this. It's good to be more sensitive on these issues going forward, though.

Click to shrink...

If you want enterprise grade security, Zoom ain't it. It's a startup, and has all the problems of a small team trying to scale too fast.

Click to shrink...

sorry if your product has been publicly available for 7 years you're not a startup anymore.

hell i work for a company thats been around for 3 and we don't call ourselves a startup.

 

[Kittens McMittens]

Remove Zoom From Your Mac Right Now

The Zoom video conferencing app contains two big security issues for Mac users. First, uninstalling the app the regular way doesn’t actually remove it from your system; instead, by installing Zoom, you’ve actually installed a persistent web server on your system that can be used to reinstall the...

lifehacker.com

Click to shrink...

Like, as far as I can tell I never actually legitimately downloaded or attempted to install Zoom at all, ever. I don't recall browsing to Zoom.us to install it. The date and it claimed to have been created and installed I would have been asleep, as it was before my lecture for that day.

I think by clicking on the system popup, I agreed to some kind of client install script? That's a malware social engineering trick. That's wild.

 

[Martin]

Yeah, my faculty also doesn't want to use zoom. The program wants root rights and other stuff.

 

[mbpm]

"Hey, I'm too edgy to be a decent person but I'm starved for attention and I hate myself. So instead of working to make myself better, I'm going to roll with the self-hate and work hard to make as many people hate me as possible! Getting attention that way makes me cool, right? right????" It only gets you approval from people who are just as miserable and shitty.

Click to shrink...

it's simple. They think everyone is like them, or at least everyone they might care about.

 

[RastaMentality]

 

[Palette Swap]

I'm curious to see how Teams for Home will take off after all this. I still hate the way Teams manages a lot of things, but call quality is great.

Zoom is the only platform that our public school system approved with their privacy policy. I think it's more than likely that zoom is the only platform that the school system asked their general counsel to look into, more so out of laziness than actually hunting for alternatives.

But, w/e. I used to use it with clients because it was the easiest screenshare to get going and no login required for them.

It's kinda funny because our school system uses Google Classroom, but they're encouraging teachers to use Zoom for their meetups. I don't know if Google Classroom comes bundled with Hangouts Meet or not, or any of Google's other video platforms.



Zoom has shady privacy agreement and installation methods but that doesn't make it malware, that's a dumb conclusion or misuse of the word "malware"

Also a lot of the reason my clients have used Zoom in the past was specifically because of this ... "Click a link and it just works!" "No headaches like with Citrix!" :D

Click to shrink...

As much shit as I give Cisco all year long, I got stuck without admin rights on my work laptop and managed to install WebEx Teams without any kind of particular rights ? So it's not like Zoom are the only ones doing that.
(The eye opening part was about the user tracking features)

 

[Deleted member 8741]

Anyone have a suggestion of a better video chat platform for multiparty usage?

 

[Shodan14]

Anyone have a suggestion of a better video chat platform for multiparty usage?

Click to shrink...

I think Discord does video chat as well.

 

[Deepwater]

Like, as far as I can tell I never actually legitimately downloaded or attempted to install Zoom at all, ever. I don't recall browsing to Zoom.us to install it. The date and it claimed to have been created and installed I would have been asleep, as it was before my lecture for that day.

I think by clicking on the system popup, I agreed to some kind of client install script? That's a malware social engineering trick. That's wild.

Click to shrink...

Yes from what I understand even the Browser extension effectively installs a localhost client that can be called upon whenever you access a link from the browser. Very malware-like.

even if you installed-then-uninstalled the desktop pkg separately, it will continue to do that unless you go under the hood to remove it

 

[Deleted member 8741]

I think Discord does video chat as well.

Click to shrink...

I think it would be hard to get my work teams on Discord frankly.

 

[Deleted member 11985]

Man, I would not want to be working at Zoom right now. The had a meteoric rise out of nowhere because of coronavirus, and now it looks like they're setting up for a meteoric fall.

 

[Shodan14]

I think it would be hard to get my work teams on Discord frankly.

Click to shrink...

Get MS Teams if you want a professional solution. Every one of the free ad hoc ones is going to have some problems.

 

[Deleted member 18502]

Video conferencing is a security risk that hasn't been completely solved for.

 

[Kittens McMittens]

Yes from what I understand even the Browser extension effectively installs a localhost client that can be called upon whenever you access a link from the browser. Very malware-like.

even if you installed-then-uninstalled the desktop pkg separately, it will continue to do that unless you go under the hood to remove it

Click to shrink...

Cheers for the info. It's insane they'd do this to install their product. The thing is fully code-signed anyway - there's no need for them to be doing all this shady shit!

My school is moving over to Teams now. I think Teams is free for schools anyway.

 

[Brofield]

Anyone have a suggestion of a better video chat platform for multiparty usage?

Click to shrink...

Seconding this and looking for suggestions. I'd say Skype, but doesn't that require a subscription for multiparty chat? WhatsApp is great for phone or desktop, but again that's only two cameras at a time.

Like, for informal friend gatherings I can't imagine it's bad, but just in general I want myself and my friends to have peace of mind and security.