Published on the 08/04/2020 | Written by Jonathan Cotton

Zoom adds security enhancements to cap off its no good, very bad month…

With the coronavirus sending the world into remote-work lockdown, video conferencing software company Zoom, has suddenly found itself swimming in the mainstream. But just moments after being dubbed vital technology, a score of security vulnerabilities have surfaced, giving the remote conferencing company a lot of work to do – and a PR month from hell.

The criticisms are many, including the Mac application that bypasses Apple’s regular security systems; the presence of software bugs that let attackers access user’s computers, and problems with the company’s claims of end-to-end encryption on its service.

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socialising from home.”

Then it was revealed that the iOS version of the app was sending analytics information to Facebook – whether the user had a Facebook account or not – something not mentioned at all in the app’s privacy policy. (For the record, Zoom swears it’s never sold user data and has no intention to ever do so).

But it’s Zoombombing – the ability for uninvited guests to virtually ‘gatecrash’ other people’s Zoom meetings – that has captured attention. The loophole has now been exploited by scores of unpleasant types posting upsetting comments, pictures and videos to other people’s meetings, sometimes as part of organised ‘zoombombing’ groups. (And the problem is bad – targets can be acquired as easily as doing a Google search for URLs containing ‘Zoom.us’, generating links to unsecured meetings, which could be joined without invitation.)

For what it’s worth, Zoom CEO Eric Yuan (pictured) appears suitably contrite, issuing a statement last week that, while hardly an excuse for the company’s huge security failures, offers some context for the neglect: 2020 has been a time of rapid growth for the company, to put it mildly.

“As of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million,” explains Yuan in the blog post.

“In March this year, we reached more than 200 million daily meeting participants, both free and paid.”

A nice problem to have by any standard, but a challenge for the usually enterprise-focused software company nonetheless.

“We recognise that we have fallen short of the community’s – and our own – privacy and security expectations.

“For that, I am deeply sorry.”

Yuan says the company will now enact a ‘feature freeze’, effectively immediately, shifting all of the company’s engineering resources to focus on trust, safety, and privacy issues.

In the meantime, Zoom’s enacted a pair of default setting changes to the product, password protecting meetings for all basic users on free accounts and accounts with a single licensed user, and turning on Zoom’s ‘Waiting Rooms’ functionality.

From now on, says Zoom, all meetings (even those previously scheduled) will have passwords enabled. Attendees joining via a meeting link, will observe no change to their joining experience, but attendees who join by manually entering a Meeting ID will need to enter a password to access the meeting.

Similarly, the Waiting Room feature – a virtual staging area that prevents people from joining a meeting until the host is ready – will be automatically turned on by default.

Hopefully by the end of the company’s self-imposed 90-day security do-over there will be more to report.

In Zoom’s defence, it can’t be easy trying to satisfy such a sudden and unexpected demand for its service. As Yuan says, usage of Zoom – a platform built primarily for enterprise customers with IT support – has exploded, almost overnight.

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socialising from home.”

Zoom has been too slow in addressing its security issues, but it also seems to have been too slow to educate users on the limitations of its product too.

Given the lockdown situation many of us are currently in – and the necessity of secure communication tech across the world – let’s hope lessons can be quickly learned on both sides.