Is Zoom a malware or an app full of security vulnerabilities?


Zoom Jon

Some people believe Zoom is a malware.

According to the IT consultant of the Manila Bulletin, Zoom is not a malware. Though it is full of vulnerabilities that made it an easy target for hackers.

Zoom is a video conferencing app. It allows up to 100 people to get in a single conference for 40 minutes for free. The app has gained tremendous popularity since the COVID-19 pandemic as more people stayed indoors and sought for ways to connect with friends, family, and colleagues. Zoom became the go-to app for people working from homes as quarantine settled in across the globe. Not to mention, Zoom was also used to host virtual parties and a wedding. To a little bit of fun, users can add background images to add a bit of humor on their side of the conference.

To clarify once more, Zoom isn’t a malware. It’s an app with a surging number of security issues. Let’s breeze through them.

First and foremost, Zoom has no end-to-end encryption (despite claiming they have), allowing potential third-party companies to view supposed confidential calls.

There is also the case of Zoombombing. This is where uninvited individual gets access to a video conference and begins trolling the members, such as, playing pornographic content. Zoom has addressed this with an update the turns on password meetings on by default.

Zoombombing has become such a major issue that in the US it has become a federal crime and can lead to jail time.

Also, Zoom has been rerouting traffic to China. According to Zoom, the reroutes happen when datacenters within a region has failed to establish communication and seeks out secondary datacenters. Though Zoom says this is accidental.

There was also an issue, as reported by the Motherboard, that the iOS version of Zoom sends data to Facebook, even though the user doesn’t have a Facebook account. Yuan said that this data did not include personal data, just information about user devices. Nonetheless, Yuan admitted that this data transfer was “Unnecessary for us to provide our services.”

The New York Times found out that Zoom leaks out LinkedIn profiles, even if they had signed in anonymously. This allows people in a conference to view LinkedIn profiles of everyone else without permission. What happens here is Zoom sends user names and emails to a company that matched them to their LinkedIn profiles.

On March 31, software engineer Felix Steele, tweeted that Zoom’s macOS installer went around Apple’s restrictions the same way how macOS malware behaved. This allows Zoom to install the application without users hitting “Install.”

Last year, on July, software engineer and security researcher Jonathan Leitschuh posted on his Medium about a Zoom security flaw that allowed certain websites to access user’s webcams.

On January, Check Point Research posted a report about Zoom vulnerability that allowed hackers to listen in calls.

Most of Zoom issues have been patched or are in the process of being fixed.

Eric S. Yuan, CEO of Zoom, said on an interview with CNN that Zoom “Moved too fast… and we had missteps.” He claimed they have learned their lessons are taking a step back to address privacy and security concerns.

In a blog post published on April 1, Yuan said: “Our platform was built primarily for enterprise customers. We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

In the same blog post, Yuan said they won’t be adding any new features for the next 90 days to address all security and privacy concerns. He maintains that Zoom takes privacy seriously.