from the 200-Million-Daily-Telescreens?-See:-"1984" dept.
As the coronavirus pandemic forced millions of people to stay home over the past month, Zoom suddenly became the video meeting service of choice: Daily meeting participants on the platform surged from 10 million in December to 200 million in March.
With that popularity came Zoom's privacy risks extending rapidly to massive numbers of people. From built-in attention-tracking features to recent upticks in "Zoombombing" (in which uninvited attendees break into and disrupt meetings with hate-filled or pornographic content), Zoom's security practices have been drawing more attention -- along with at least three lawsuits against the company.
Here's everything we know about the Zoom security saga, and when it happened. If you aren't familiar with Zoom's security issues, you can start from the bottom and work your way up to the most recent information. We'll continue updating this story as more issues and fixes come to light.
The story provides a day-by-day list with details of what was reported. Apologies as there are no anchors in the story to which we could provide links. The dates and headlines are excerpted below. See the original story for the details.
- April 16
- Two new massive Zoom exploits uncovered
- Zoom to revamp bug bounty
- April 15
- $500,000 price tag for new exploit
- April 14
- Suit filed against Facebook and LinkedIn
- New privacy option for paid accounts
- April 13
- 500,000 Zoom accounts sold on hacker forums
- April 10
- Pentagon restricts Zoom use
- April 9
- Senate to avoid Zoom
- Singapore teachers banned from Zoom
- German government warns against Zoom use
- April 8
- Fourth lawsuit
- Google bans Zoom
- Bug bounty hunters emerge
- New security advisor and council
- Classroom security
- Usability versus security
- IDs hidden
- Weekly webinars
- AI Zoombomb
- April 7
- Taiwan bans Zoom from government use
- April 6
- Some school districts ban Zoom
- Zoom accounts found on the dark web
- Zoom seeks to grow its lobbying presence in Washington
- Urging an FTC investigation
- Third class action lawsuit filed
- April 5
- Calls mistakenly routed through Chinese whitelisted servers
- April 4
- Another Zoom apology
- April 3
- Zoom video call records left viewable on the web
- Attackers planning 'Zoomraids'
- Zoom apologizes, again
- Second class action lawsuit filed
- Congress requests information
- April 2
- Automated tool can find Zoom meetings
- More plans for Zoombombing
- Data-mining feature discovered
- April 1
- SpaceX bans Zoom
- More security flaws discovered
- Apologies from Yuan
- March 30
- The Intercept investigation: Zoom doesn't use end-to-end encryption as promised
- More bugs discovered
- First class action lawsuit filed
- Letter from New York Attorney General sent
- Classroom Zoombombings reported
- March 27
- Zoom removes Facebook data collection feature
- March 26
- Motherboard investigation: Zoom iOS app sending user data to Facebook
Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company's massive user base.
"There are en-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once," Eric Yuan, CEO of Zoom, said in a statement.
Zoom said it would offer an end-to-end encrypted meeting mode to all paid accounts.
[...] "This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses," Yuan wrote in a blog post. "Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase's experienced team will be a critical part of this mission."
Details on Zoom's encryption roadmap are available on the Zoom blog.
(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-17) Looking for Alternative, Self-Hosted Audio (or Video) Chat Services
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China
Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.
"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.
"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."
This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.
[...] To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.