Zoom: We're freezing all new features to sort out security and privacy

As SpaceX bans its workers from using it, Zoom says all feature development is halted to work on security.
Written by Liam Tung, Contributing Writer

Elon Musk's SpaceX has banned employees from using video-conferencing app Zoom over "significant privacy and security concerns", according to a memo seen by Reuters.

In response to these concerns, Zoom has announced it is immediately freezing feature development for 90 days to improve security and privacy and will conduct a third-party security review. 

The COVID-19 coronavirus outbreak has brought mixed blessings for Zoom, sending user numbers and its share price skyrocketing as workers and students across the globe work from home. But it's also brought more scrutiny on the company's product security and privacy standards. 

SpaceX acknowledged that many of its 6,000 workers had been using Zoom for meetings but on March 28 it instructed all employees to use email, text or phone instead. 

SEE: Digital transformation: A CXO's guide (ZDNet special report) | Download the report as a PDF (TechRepublic)

US space agency NASA has also banned employees from using Zoom. 

Yesterday, researchers detailed two new security bugs found in the Zoom app. The Zoom Windows client was leaking network credentials due to the app rendering UNC file paths as a clickable link in group chat windows. 

Then, Patrick Wardle, a former NSA hacker and founder of Apple-focused security company Objective-See, disclosed a new vulnerability in the macOS Zoom installer, which was using a deprecated and insecure application programming interface in macOS.

This week Zoom was also slammed by The Intercept for allegedly misleading users about the platform's end-to-end (E2E) encryption. Zoom has admitted that E2E is not currently possible for Zoom video meetings and instead uses transport layer security (TLS) encryption. 

And last week Zoom removed the Facebook SDK in its iOS app after a report that it was sending device analytic data to Facebook, even for users without a Facebook account.    

The other issue facing Zoom is how new users are sharing meeting and classroom links. The FBI Boston Division this week warned schools about two cases of strangers 'zoom-bombing' online classrooms at two separate Massachusetts-based high schools.

In one instance, a stranger yelled profanity and shouted the teacher's home address. In the other, the video hijacker was visible to students and bore swastika tattoos. 

The FBI cautioned schools against making meetings or classrooms public and urged them to require a meeting password. Additionally, it advised against sharing links to classrooms on publicly available social-media posts. 

April 1 was a busy day for Zoom. In a new blogpost, Zoom founder Eric Yuan outlined that it has released a fix for the UNC link issue in the Windows client.

It also released fixes for the macOS issues reported by Wardle, and published a blog "acknowledging and apologizing for the confusion" around its E2E. Zoom also denied having built a mechanism to decrypt live meetings for lawful intercept purposes.

Additionally, it removed the attendee attention tracker feature and removed the LinkedIn Sales Navigator in Zoom, which it found was unnecessarily disclosing data. 

Yuan said Zoom was immediately freezing all new feature development and turning its engineers to the platform's trust, safety, and privacy issues.  

Zoom will also commence a "comprehensive review with third-party experts and representative users to understand and ensure the security of all our new consumer use cases".

SEE: Coronavirus: Business and technology in a pandemic

Responding to its recent issues, Yuan noted that Zoom was primarily built for enterprise customers with IT support teams.  

"However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," explained Yuan. 

Zoom's free and paid users have grown from 10 million in December 2019 to 200 million daily meeting participants in March, according to Yuan.  

Additional steps that Zoom is taking include a transparency report and penetration tests: 

  • Preparing a transparency report that details information related to requests for data, records, or content.
  • Enhancing its current bug-bounty program.
  • Launching a CISO council in partnership with leading CISOs from across the industry to facilitate debate on security and privacy best practices.
  • Engaging a series of simultaneous white-box penetration tests to further identify and address issues.
  • Starting next week, Yuan will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to the Zoom community.
Editorial standards