Zoom Responds Quickly To Contain The Fallout From Their Security Issues

Yesterday, I wrote a story about Zoom’s security issues and what they needed to do to fix them. In the last few hours a lot have happened. For starters, a memo from Elon Musk of Tesla and Space-X was leaked to Reuters. The memo stated that Zoom was banned due to security and privacy issues. Related to that Zoom posted a blog post from its CEO. In it he says this:

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

At least he recognizes that he has a problem. This is what he has done to fix things:

We have also worked hard to actively and quickly address specific issues and questions that have been raised.

  • On March 20th, we published a blog post to help users address incidents of harassment (or so-called “Zoombombing”) on our platform by clarifying the protective features that can help prevent this, such as waiting rooms, passwords, muting controls, and limiting screen sharing. (We’ve also changed the name and content of that blog post, which originally referred to uninvited participants as “party crashers.” Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.)  
  • On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users. 
  • On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.
  • For education users we:
  • On April 1, we:
    • Published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion.
    • Removed the attendee attention tracker feature.
    • Released fixes for both Mac-related issues raised by Patrick Wardle.
    • Released a fix for the UNC link issue.
    • Removed the LinkedIn Sales Navigator after identifying unnecessary data disclosure by the feature.

He then outlines these steps to fix this situation going forward:

  • Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
  • Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
  • Preparing a transparency report that details information related to requests for data, records, or content.
  • Enhancing our current bug bounty program.
  • Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
  • Engaging a series of simultaneous white box penetration tests to further identify and address issues.
  • Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.

These are very good steps and fit within the things that I suggested in the story that I wrote yesterday. But if you’re a Zoom user, you need concrete things that you can do right now to ensure your security. Here is what I would suggest:

  • Update your macOS and Windows clients now. As in RIGHT NOW. The macOS client (Version 4.6.9 (19273.0402)) can be found here, and the Windows client (Version 4.6.9  (19253.0401)) can be found here. Now I tested both versions and I can confirm that the issues that I raised yesterday are fixed.
  • Enable the waiting room functionality. This document that Zoom has on the topic can help you with that.

I have to applaud Zoom on taking action quickly and transparently. And you can bet that lots of people will be watching to make sure that they follow through on their promises. Because it’s a safe bet that if they don’t I among many others will not hesitate to call them on it.

3 Responses to “Zoom Responds Quickly To Contain The Fallout From Their Security Issues”

  1. […] Zoom sessions seeing as Zoom’s app security is dodgy at best. Though to be fair to Zoom, they are trying to address this. So here are my top tips to secure your Zoom […]

  2. […] Xiaomi really wants this to go away, they need to open themselves up to third party auditing. Just like Zoom did when they went through their security issues not too long ago. By doing so they would regain the trust of their users, and it would shut people like me up as I […]

  3. […] If Netgear wants to rescue their image, they need to give a fulsome explanation in terms of how they are going to ensure that users of their products are going to be secure going forward. And they need to bring in a third party to not only audit everything from a security standpoint in that company, but to also make sure that they aren’t just talking the talk, but they are walking the walk 100% of the time. If they want a template to work from, they should look at what Zoom is doing and copy that. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: