Zoom Is Full of Security Flaws — But You Can Protect Yourself


or months, Zoom has been in the headlines for all the wrong reasons. Now used for everything from pandemic-era yoga retreats to mass layoffs, the company’s popularity stems from the fact the platform is simple and it works. But its newfound fame has also brought unrelenting attention to the notion that company leaders haven’t taken privacy and security seriously enough.

But are the problems severe enough to warrant ditching Zoom entirely? It depends on what you’re using the platform for, how much time you’re willing to spend protecting yourself, and who you ask.

Some security experts insist Zoom is taking all the right steps to fix the platform’s problems. Others, like Bruce Schneier, have suggested that users may want to steer clear of Zoom entirely until the company proves itself trustworthy.

“You should either lock Zoom down as best you can, or — better yet — abandon the platform altogether,” Schneier said in a recent blog post.

A parade of recent scandals gives ample ammunition to the argument that users shouldn’t be using Zoom for anything remotely sensitive.

Late last month, Zoom found itself on the receiving end of a class action lawsuit after reporters found the service was sending personal data to Facebook without their knowledge and consent, even if users lacked a Facebook account. Journalists also found examples where Zoom was leaking user email addresses and photos to complete strangers.

Other bugs exposed the LinkedIn profile data of other users without permission, or allowed the hijacking of Windows users’ credentials without warning. Zoom’s marketing department was also caught dramatically overstating the quality of the encryption used to secure video traffic.

Access to “zero day” vulnerabilities allowing hackers access to any Zoom meetings now sell for as much as $500,000 on the dark web. Recordings of everything from small business Zoom meetings to Zoom therapy sessions have been found openly available online.

Then there’s “Zoombombing,” which is shorthand for attackers wielding racist slurs and child pornography to interrupt unsuspecting Zoom sessions. Some school districts have banned the platform, and New York Attorney General Letitia James last month said Zoom hadn’t done enough to fix bugs giving attackers “surreptitious access to consumer webcams.”

Zoom claims the company was simply a victim of its own success, ill-prepared for problems of scale it could have never foreseen.

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” the company admitted in a blog post earlier this month.

Zoom insists it’s doing everything in its power to shore up its problems.

Zoom’s ill preparedness for the seriousness of the moment was also reflected by the company’s privacy policy, which until heavy criticism and a recent update, played coy with questions about whether the company technically sells access to your data (Zoom insists it does not, though security experts have often contested the semantics of the claim).

In many ways, Zoom’s privacy problems are perfectly typical of a U.S. tech industry that has long viewed security and privacy as an expensive afterthought. The U.S. still lacks a meaningful privacy law for the internet era, resulting in security violations that are often met with a series of costly and performative wrist slaps, assuming there’s any repercussion at all.

For its part, Zoom insists it’s doing everything in its power to shore up its problems.

Company CEO Eric Yuan stated on April 1 that all new features would be suspended for 90 days to help the company focus on properly securing the platform. Zoom has also hired a number of high-profile security experts to help it transparently address its problems — and revamp the company’s bug bounty program.

But in a country where massive privacy scandals are frequent and frequently unpunished, promises don’t mean a whole lot. Americans are living in the wild west era of online privacy, with no limit of poorly secured platforms and easily-hacked “smart” devices, but a profound shortage of leaders willing to place public privacy over company revenues.

While some security experts are warning users to steer clear entirely, others suggest that the company’s initial efforts to address its security shortcomings are a promising start, and a company that managed to scale such a high-bandwidth platform in the face of a raging pandemic deserves the benefit of the doubt.

“To successfully scale a video-heavy platform to such a size, with no appreciable downtime and in the space of weeks, is literally unprecedented in the history of the internet,” recently blogged former Facebook chief security officer Alex Stamos after being hired as a Zoom consultant.

Users who stick with Zoom should follow steps to protect themselves from vulnerabilities and take the time to understand how Zoombombing works and how it can be avoided. But if you’re using Zoom for sensitive exchanges, your best bet may be to avoid the platform and wait to see if Zoom lives up to its promises.

“We appreciate the researchers and industry partners who have helped — and continue to help — us identify issues as we continuously seek to strengthen our platform,” a Zoom representative told OneZero in a statement.

If you have to use Zoom, there’s a number of steps you can take to better secure your conversations, including using an exclusive ID for each meeting (Zoom offers a video tutorial on how to generate a unique ID for each session), enabling the “waiting room” feature so you can better control who is joining your chat, disabling screen sharing for non-hosts, and locking the meeting once you’ve begun to avoid unwanted intrusions.

Either way, Zoom shouldn’t be seen as synonymous with videoconferencing, and should you feel the risk isn’t worth it, there’s no shortage of alternatives, including Jitsi MeetStarLeafMicrosoft’s TeamsBlueJeans NetworkWherebyHighfive, and more.

Whether users should continue to use Zoom depends on any number of things, from the sensitivity of the information being shared, to how likely you are to believe the promises of corporations who — only after the barn door is left open and the horses run amok — do they claim to have seen the light.