Slash Boxes

SoylentNews is people

posted by martyb on Monday April 20 2020, @02:22AM   Printer-friendly
from the 200-Million-Daily-Telescreens?-See:-"1984" dept.

Zoom: Every security issue uncovered in the video chat app:

As the coronavirus pandemic forced millions of people to stay home over the past month, Zoom suddenly became the video meeting service of choice: Daily meeting participants on the platform surged from 10 million in December to 200 million in March.

With that popularity came Zoom's privacy risks extending rapidly to massive numbers of people. From built-in attention-tracking features to recent upticks in "Zoombombing" (in which uninvited attendees break into and disrupt meetings with hate-filled or pornographic content), Zoom's security practices have been drawing more attention -- along with at least three lawsuits against the company.

Here's everything we know about the Zoom security saga, and when it happened. If you aren't familiar with Zoom's security issues, you can start from the bottom and work your way up to the most recent information. We'll continue updating this story as more issues and fixes come to light.

The story provides a day-by-day list with details of what was reported. Apologies as there are no anchors in the story to which we could provide links. The dates and headlines are excerpted below. See the original story for the details.

April 16
Two new massive Zoom exploits uncovered
Zoom to revamp bug bounty
April 15
$500,000 price tag for new exploit
April 14
Suit filed against Facebook and LinkedIn
New privacy option for paid accounts
April 13
500,000 Zoom accounts sold on hacker forums
April 10
Pentagon restricts Zoom use
April 9
Senate to avoid Zoom
Singapore teachers banned from Zoom
German government warns against Zoom use
April 8
Fourth lawsuit
Google bans Zoom
Bug bounty hunters emerge
New security advisor and council
Classroom security
Usability versus security
IDs hidden
Weekly webinars
AI Zoombomb
April 7
Taiwan bans Zoom from government use
April 6
Some school districts ban Zoom
Zoom accounts found on the dark web
Zoom seeks to grow its lobbying presence in Washington
Urging an FTC investigation
Third class action lawsuit filed
April 5
Calls mistakenly routed through Chinese whitelisted servers
April 4
Another Zoom apology
April 3
Zoom video call records left viewable on the web
Attackers planning 'Zoomraids'
Zoom apologizes, again
Second class action lawsuit filed
Congress requests information
April 2
Automated tool can find Zoom meetings
More plans for Zoombombing
Data-mining feature discovered
April 1
SpaceX bans Zoom
More security flaws discovered
Apologies from Yuan
March 30
The Intercept investigation: Zoom doesn't use end-to-end encryption as promised
More bugs discovered
First class action lawsuit filed
Letter from New York Attorney General sent
Classroom Zoombombings reported
March 27
Zoom removes Facebook data collection feature
March 26
Motherboard investigation: Zoom iOS app sending user data to Facebook

Original Submission

Related Stories

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform 21 comments

Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform:

Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company's massive user base.

"There are en-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once," Eric Yuan, CEO of Zoom, said in a statement.

Zoom said it would offer an end-to-end encrypted meeting mode to all paid accounts.

[...] "This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses," Yuan wrote in a blog post. "Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase's experienced team will be a critical part of this mission."

Details on Zoom's encryption roadmap are available on the Zoom blog.

(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-17) Looking for Alternative, Self-Hosted Audio (or Video) Chat Services
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China

Also at TechCrunch and The Verge.

Original Submission

Zoom Will Provide End-to-End Encryption to All Users 23 comments

Zoom will provide end-to-end encryption to all users:

Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.

"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.

"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."

This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.

[...] To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Snotnose on Monday April 20 2020, @02:13AM

    by Snotnose (1623) on Monday April 20 2020, @02:13AM (#984988)

    I mean, who would have thought everyone would be stuck at home and suddenly using your platform?

    Then again, you were shifty as hell. End to end encryption, where one end is your servers? Yeah, you got called out on your bullshit.

    Then again, had attention not focused on them so fast and heavily who knows how much personal info they could have vacuumed up and monetized before getting caught?

    It's not like they even had shitty security, they had "security" that was designed to collect as much info on everyone as possible. I for one hope that a year from now Zoom will be a "could have should have" company that's now in a graveyard.

    I hate it when I see an old person, then realize we went to high school together.
  • (Score: 5, Interesting) by Runaway1956 on Monday April 20 2020, @04:06AM (2 children)

    by Runaway1956 (2926) Subscriber Badge on Monday April 20 2020, @04:06AM (#984996) Homepage Journal

    How did all the major tech companies get where they are today? Not by beating the "security" drum.

    Release a product. Bolt on some additional features. Analyze feedback, bolt on some more features. If/when called out on security, bolt on something that resembles security. Adapt the whole mess for use on "mobile devices". Write contracts to sell all the data collected. Track users through social media. Bolt on a few more features that no one wants, as disguise for yet more "telemetry" data. If/when security issues are exposed, bolt on something impressive looking, and make grandiose claims for security. If everything collapses, just change names of the company and the product, and start over.

    Through a Glass, Darkly -George Patton
    • (Score: 0) by Anonymous Coward on Monday April 20 2020, @04:51AM (1 child)

      by Anonymous Coward on Monday April 20 2020, @04:51AM (#985007)

      Calls mistakenly routed through Chinese whitelisted servers

      This is the difference. Although the Average Joe might prefer China spying on them to the NSA, CIA, and FBI spying on them.

      • (Score: 1, Funny) by Anonymous Coward on Monday April 20 2020, @08:34AM

        by Anonymous Coward on Monday April 20 2020, @08:34AM (#985031)
        And maybe that's a feature, if you're one of those activists types... Imagine if a lots of people start using keywords like tiananmen, uyghur, jihad in their Zoom meetings just to clog the Chinese Gov's systems with videos of their cats, paint drying, etc.
  • (Score: 0) by Anonymous Coward on Monday April 20 2020, @03:36PM

    by Anonymous Coward on Monday April 20 2020, @03:36PM (#985117)

    Their stock is up 17% over the past 10 days, and holding steady.

  • (Score: 3, Insightful) by mth on Monday April 20 2020, @05:51PM (2 children)

    by mth (2848) on Monday April 20 2020, @05:51PM (#985168) Homepage
    Since it has so many issues, what is it that keeps people using the tool? Is it really just the publicity or is there something it gets right? I've been using Jitsi [] instead, which is open source and very easy to use.
    • (Score: 1) by RandomFactor on Monday April 20 2020, @08:45PM

      by RandomFactor (3682) Subscriber Badge on Monday April 20 2020, @08:45PM (#985218) Journal

      I've heard it described as 'low friction' - Easy to setup and use. Works with everything. Higher Quality video streams over poorer connections. Also, it was used before by a relatively tech capable base (business users).

      But security is ever the natural opponent of ease-of-use, as they've likely noticed :-)

      Regarding the TFA

      1) Most of the "security issues" are organizations not using zoom, lawsuits, article links, bug bounties, company statements.... None of those are security problems, those are pile-on.
      2) I wish issues which are already resolved were noted as such. This would be far more interesting if it differentiated outstanding privacy and security issues.

      В «Правде» нет известий, в «Известиях» нет правды
    • (Score: 0) by Anonymous Coward on Tuesday April 21 2020, @12:59AM

      by Anonymous Coward on Tuesday April 21 2020, @12:59AM (#985296)

      It's like Facebook. Everybody starts using it because they hear every body is using it.