The coronavirus outbreak has forced people to rely on conferencing apps and that has brought Zoom some overnight success. However, the company has been suffering from its own fame as researchers disclosed several Zoom related vulnerabilities.
Now, The New York Times has discovered a potential data mining bug in Zoom that is leaking data from people’s LinkedIn profiles. The vulnerability is hitting those who have subscribed to a LinkedIn service for sales prospecting, called LinkedIn Sales Navigator. Once the service has been enabled, they could quickly access LinkedIn data of everyone on the call without them knowing about it. The data includes locations, employer names and job titles.
In tests conducted last week, The Times found that even when a reporter signed in to a Zoom meeting under pseudonyms — “Anonymous” and “I am not here” — the data-mining tool was able to instantly match him to his LinkedIn profile. In doing so, Zoom disclosed the reporter’s real name to another user, overriding his efforts to keep it private.
Reporters also found that Zoom automatically sent participants’ personal information to its data-mining tool even when no one in a meeting had activated it. This week, for instance, as high school students in Colorado signed in to a mandatory video meeting for a class, Zoom readied the full names and email addresses of at least six students — and their teacher — for possible use by its LinkedIn profile-matching tool, according to a Times analysis of the data traffic that Zoom sent to a student’s account.
– The New York Times
Thankfully, Zoom has acted on the Times findings and is in process of disabling the feature. In a statement, the company said it took users’ privacy “extremely seriously” and was “removing the LinkedIn Sales Navigator to disable the feature on our platform entirely.” In a separate statement given to The NYT, LinkedIn said, it worked “to make it easy for members to understand their choices over what information they share” and would suspend the profile-matching feature on Zoom “while we investigate this further.”
People don’t know this is happening and that’s just completely unfair and deceptive.
– Josh Golin, Executive Director, Campaign for a Commercial-Free Childhood
It’s a combination of sloppy engineering and prioritizing growth. It’s very clear that they have not prioritized privacy and security in the way they should have, which is obviously more than a little concerning.
– Jonathan Mayer, Assistant professor (Computer Science), Princeton University
On Thursday, it sent an automated message to users saying it had disabled the LinkedIn profile-matching feature “due to administrative issues.” “We will notify you when the app is re-enabled,” the message read.
Earlier today, the company paused all the feature updates to concentrate on fixing the security issues. Over the next 90 days, Zoom will be using all its resources to better identify, address, and fix security and privacy issues proactively. So, Zoom won’t be adding any new features in the next 3 months. It will also conduct a comprehensive review with third-party experts and representative users to understand and ensure the security of its service. Learn more about this announcement here.