Zoom, a video conferencing software that went public last year, has gained popularity during the global pandemic. Thousands of people have flocked to the platform to not only enable working remotely, but also stay in touch with friends and family. Their daily active users surged from around 20m to 200 million.
However, what they didn’t know was the app comes with multiple privacy and security risks.
The application uses randomly generated IDs and does not require passwords to join calls. Hence, automated tools can easily gather meeting IDs and account information.
Moreover, according to a Cybersecurity firm Sixgill, compromised zoom accounts were being shared on the dark web. Around 352 accounts belonging to individuals, startups, and educational institutes were compromised, and the details were shared on a popular dark web forum. The leaked details included:
- Email address
- Meeting ID
- Host key
Dov Lerner, a security research lead at Sixgill, while talking to Mashable, said:
In comments on this post, several actors thanked him for the post, and one revealed intention to troll the meetings. The accounts could certainly be used to troll the owner of the account or those who are joining the owner’s calls, but these credentials could also be used for corporate or personal eavesdropping, identity theft, and other nefarious actions. There’s a number of ways a malicious actor could use these stolen accounts.
The collection of compromised accounts was found on 1st April 2020. The newfound fame of this application has brought to light several issues with the service.
The application can be used by employers to spy on their employees. Moreover, zoom was found unnecessarily providing user data to Facebook, as well as mining data from LinkedIn without the company’s knowledge.
Amidst all this, Zoom’s CEO Eric Yuan apologized for the prevailing issues and has promised to get the issues fixed as soon as possible.