Ever since the coronavirus pandemic began, Zoom has seen an influx of users who are using the platform to stay connected to their loved ones or use it as a video conferencing tool while working from home. We have reported several vulnerabilities in the past but the new issue that recently came to light is not because of a vulnerability.
According to The Washington Post, thousands of private Zoom recordings are available for anyone to watch online. The news outlet was tipped about the issue by security researcher Patrick Jackson who found 15,000 examples when he ran a scan of unsecured cloud storage. Furthermore, Mashable ran scans on YouTube, Google, and Vimeo and found several recordings just available for anyone to watch. We personally tried YouTube and identified a couple of recordings that were uploaded unintentionally by users. Like Mashable and The Washington Post, we won’t be revealing the recordings in the interest of user privacy.
Mashable noted that it could be a mistake by people who uploaded the private recordings to public servers. However, they also noted that if 15,000 people made a mistake then it could be a design fault and not the carelessness of the user.
Patrick Jackson told The Washington Post that Zoom could do a better job at cautioning users about the recordings and save them with a unique name which is harder to guess, making the recordings harder to find online, even if someone mistakingly uploads them to a public server or public cloud.
Zoom’s spokesperson sent a statement to Mashable making it clear that users should be cautious while uploading the recordings to the internet.
Zoom notifies participants when a host chooses to record a meeting, and provides a safe and secure way for hosts to store recordings. Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud. Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations.
Recently, Zoom announced that the company will be pausing feature updates to concentrate on fixing the security issues. Over the next 90 days, the company will be using all its resources to better identify, address, and fix security and privacy issues proactively. So, Zoom won’t be adding any new features in the next 3 months. It will also conduct a comprehensive review with third-party experts and representative users to understand and ensure the security of its service. Learn more about this announcement here.