Zoom vulnerability issues: should you use it?

Zoom is an American video-conferencing and online meeting software whose popularity grew rapidly during the coronavirus pandemic when companies switched to remote work. To be precise, in the first quarter of 2020, Zoom’s usage increased by 67%.

Such exponential growth has led to closer inspection of Zoom’s security. Thousands of its users reported privacy breaches and security incidents. Some have even become victims of so-called zoombombing, an attack during which an intruder appears in video calls or sends offensive imagery. In the face of all these issues, companies like Google, SpaceX, and NASA all banned their employees from using Zoom for work. Here’s a short video explaining the reasons behind it:

However, Zoom security has improved over the past few years. Zoom developers have fixed a few of its major security issues.

Zoom had many security issues in the past. The platform is still far from perfect, but Zoom has managed to fix some of its biggest flaws. So using Zoom is relatively safe if you take all the necessary precautions mentioned below and implement all the recent updates.

While Zoom has already tackled some of its most serious security and privacy issues, it has a few remaining vulnerabilities, as reported by Tom’s Guide.

Circulating compromised accounts

Around half a million Zoom usernames and passwords are up for sale in criminal online marketplaces. This resulted from credential-stuffing attacks when hackers reused previously leaked credentials to hack new accounts. Criminals are also reportedly trading compromised Zoom accounts on the dark web.

This is not Zoom’s fault, but you should by no means use passwords that you use for other accounts for Zoom. Also, make sure to change Zoom passwords if they get compromised and use strong ones. And remember that no service is fully protected against potential future data breaches or leaks.

Zoom zero-day exploits

Vice reported that Zoom allegedly contains a few zero-day exploits. However, the source also claimed that Zoom is not the only video conferencing software with those issues.

Poor encryption

Zoom uses end-to-end encryption, but its encryption algorithm is pretty weak. Researchers at the Citizen Lab claim that Zoom uses the AES-128 algorithm instead of AES-256. Zoom generates and holds all the encryption keys, meaning it can decrypt your data anytime.

Moreover, Zoom uses a modified version of the algorithm, allowing it to see patterns from original files. This means that someone can still see the original message. However, Zoom promised to upgrade its encryption algorithm.

Employee surveillance

Employers can also use Zoom to spy on employees and breach their privacy. Zoom’s attention-tracking feature notifies a host if a user clicks away from a Zoom window for more than 30 seconds. Admins can join calls without the consent of their participants and prior notification, too.

Weak protection against tampering and bombings

Researchers indicated that Zoom’s anti-tampering mechanisms are poorly protected from tampering. As a result, they can be disabled or even replaced with malicious ones to hijack the application by a third party.

Zoom bombing is also an active issue. Anyone who knows your meeting number can infiltrate your meeting with images or annoying sounds. You can also find open Zoom meetings and wardrive into them by checking Zoom meeting IDs. However, to prevent these issues, you shouldn’t share your meeting number with anyone except the call participants, and you should protect your meetings with passwords.

Data collection and sharing

Zoom is notorious for collecting users’ data, such as audio recordings, messages, and personal credentials. The app used to send users’ email addresses and usernames to LinkedIn. There are also widespread concerns that students’ and pupils’ private data could have been leaked too because educational institutions use Zoom for online classes.

While Zoom rewrote its privacy policy stating that it doesn’t sell users’ data, little information about Zoom’s actual business dealings is available.

Zoom has already fixed some of its previous flaws.

Account hijacking issues

Zoom fixed the account hijacking issue. Previously, hackers could hijack users’ Zoom accounts by knowing their email addresses. Fortunately, this flaw hadn’t been disclosed before Zoom developers could fix it.

Displayed meeting IDs

Zoom no longer displays meeting IDs on your screen so that you won’t accidentally expose them in a screenshot or other way.

Chinese cryptographic keys

Zoom has been accused of generating keys in China, a country famous for its surveillance and privacy violations. If so, this means that their servers can be monitored by the Chinese government, no matter whether you are making calls in the US or Europe. Zoom admitted that it had routed calls via Chinese servers by mistake.

Last April, Zoom CEO Eric S. Yuan reported in a blog post that Zoom had fixed this issue.

Waiting room flaw

The Citizen Lab researcher team disclosed Zoom’s waiting room flaw and advised users against using it. Zoom developers have reportedly fixed the flaw.

Windows password stealing and malware issues

By sleeping UNC path to a remote server, hackers could access Zoom users’ Windows accounts. They could also use the same method to flood Zoom chat rooms with malicious files. Zoom claims that it has already fixed this issue.

Facebook profile sharing

Zoom’s iOS application automatically sent the analytics data of users’ devices to Facebook, even if users didn’t have a Facebook account. The company didn’t inform them about it either. After discovering this issue, Zoom updated its iOS apps to fix it.

Bypassing macOS security precautions

Zoom used hacker-like methods to bypass macOS security precautions. Researchers claimed that the application was installed without the user’s final consent, and it used a highly misleading prompt to gain root privileges. Hackers could even exploit this technique to gain control over someone’s device. Zoom representatives claimed they used such tactics to simplify Zoom’s installation process. However, later they removed this technique.

PRO TIP: Cover your webcam when not in use. You can buy a small sliding cover to stick over the camera, ensuring that no one can watch you without your knowledge.

Here are a few tips to make Zoom safer:

• Do not send invites or accept invitation links from people you don’t trust.
• Use two-factor authentication for better protection.
• Make sure you download Zoom from the official site. Hackers have been creating fake Zoom websites to spread malware.
• Use a web browser to access Zoom. It’s more secure, especially when you use a VPN. Zoom rolls out updates more rapidly to those signing in via the web.
• Use audio signatures. It can help to preserve the confidentiality of the meetings. It will also make it more difficult for participants to record and distribute the meetings.
• Update it regularly to have the most recent security patches.
• Never share your meeting ID publicly, only with people you trust.
• Protect your meeting with a unique password. Check these tips on how to create strong passwords. You can also try NordPass random password generator.
• Use the waiting room function. It puts the participants on hold so you can approve or block them.
• Lock meetings, so that no one is able to join them apart from those who are already there.
• Refrain from using Zoom to exchange sensitive or confidential information.
• Make yourself the only host to take full control of the call. In case of zoombombing, you could turn off someone’s camera, microphone, or even disable them.
• Read these tips on how to work-from-home safer and look for video conferencing alternatives.
• Use a VPN. It will provide an additional layer of security when you use unsecure Wi-Fi hotspots.

Zoom is compatible with a VPN because VPN provides an additional layer of protection. NordVPN will provide much-needed high-quality encryption and protect your traffic from snoopers and interceptors.

NordVPN also offers an additional Threat Protection function. It helps you identify malware-ridden files, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.