Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims Amid Other Security Issues [Updated]

[MacRumors]

Zoom is facing fresh scrutiny today following a report that the videoconferencing app's encryption claims are misleading.

Zoom states on its website and in its security white paper that the app supports end-to-end encryption, a term that refers to a way of protecting user content so that the company has no access to it whatsoever.

However, an investigation by The Intercept reveals that Zoom secures video calls using TLS encryption, the same technology that web servers use to secure HTTPS websites:

This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won't stay private from the company.

As the report makes clear, for a Zoom meeting to be end-to-end encrypted, the call would need to be encrypted in such a way that ensures only the participants in the meeting have the ability to decrypt it through the use of local encryption keys. But that level of security is not what the service offers.

When asked by The Intercept to comment on the finding, a spokesperson for Zoom denied that the company was misleading users:

"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point... The content is not decrypted as it transfers across the Zoom cloud."

Technically, Zoom's in-meeting text chat appears to be the only feature of Zoom that is actually end-to-end encrypted. But in theory, the service could spy on private video meetings and be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.

Zoom told The Intercept that it only collects user data that it needs to improve its service - this includes IP addresses, OS details, and device details - but it doesn't allow employees to access the content of meetings.

Last week, Zoom's data sharing practices were criticized after it emerged that the service was sending data to Facebook without disclosing the fact to customers. The company subsequently updated the app to remove its Facebook log-in feature and prevent the data access.

Update: As noted by TechCrunch, security researcher Patrick Wardle has revealed two previously undisclosed zero-day vulnerabilities impacting Zoom.

Article Link: Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims Amid Other Security Issues [Updated]

 

[Michael Scrip]

• Installing a secret web server on your computer that remained even after you uninstalled the program
• Sharing data with Facebook without disclosing it to customers
• Misleading Users With 'End-to-End Encryption' Claims

Any guesses on the next Zoom scandal?

 

[himanshumodi]

I wonder if this is technical incompetence, or a deliberate obfuscation.

 

[batitombo]

Everyone:

End to end.

Zoom:

Well, for us end to end means...

 

[cfdlab]

There are even more shady things they are doing

https://twitter.com/x/status/1244737672930824193

 

[iapplelove]

End to end encryption/.

 

[crsh1976]

Interesting, the company I work for jumped on this solution because our in-house video conf service is unable to cope with everybody working remotely all of a sudden (it wasn't planned for this many people throughout the day and cannot scale up quickly, due to short-sighted decisions).

Zoom is all the rage these days - some of our IT/security folks tried to warn management we shouldn't use it until a full security audit can happen, and they were gently pushed aside due to needing a solution right away, I guess this will only reinforce the need to look into it further.

 

[Morgenland]

We'll see: If there are enough people who want to cooperate with this criminal enterprise, this company will continue to work with its criminals, perhaps soon under a different name.

 

[nicho]

Interesting, the company I work for jumped on this solution because our in-house video conf service is unable to cope with everybody working remotely all of a sudden (it wasn't planned for this many people throughout the day and cannot scale up quickly, due to short-sighted decisions).

Zoom is all the rage these days - some of our IT/security folks tried to warn management we shouldn't use it until a full security audit can happen, and they were gently pushed aside due to needing a solution right away, I guess this will only reinforce the need to look into it further.

They operate legally in China. I don't think more needs to be said than that.

 

[Christian 5G]

I am just grateful for people that are able to find these loopholes.

 

[Unggoy Murderer]

• Installing a secret web server on your computer that remained even after you uninstalled the program
• Sharing data with Facebook without disclosing it to customers
• Misleading Users With 'End-to-End Encryption' Claims

Any guesses on the next Zoom scandal?

Add this: the macOS installer actually installs the application at the "Checking requirements" stage then quits the installer, the user doesn't actually get to press "Install". Very shady.

Quicker people move away from that rancid software the better.

 

[MrJeffreyGee]

If you talk to anyone that has used Zoom for video sex calls “regularly”... They’ll tell you their account gets deleted shortly after. Why would they be deleting this specific group of user accounts if they weren’t monitor their video calls? Not to mention, some Zoom employee needs to be seeing these video calls to render the decision.

 

[spazzcat]

WebEx is giving unlimited free meetings right now.

 

[Mitthrawnuruodo]

And another issue, according to The Verge:

Zoom is apparently leaking some email addresses, user photos, and allowing some users to initiate a video call with strangers because of an issue with how the app handles contacts that it perceives work for the same organization

Zoom is leaking some user information because of an issue with how the app groups contacts

Some personal email addresses are being shared to users’ Company Directory

www.theverge.com

 

[0924487]

You should not trust a mission-critical communication software that is not open-sourced AND has never undergone a technical audit AND is not source available upon request.

 

[Porco]

If they corrected this situation we could potentially see the wonderful headline ‘Zoom’s End to End-to-End Encryption to End’. So that’s something.

 

[GalileoSeven]

MS Teams > Zoom

 

[motm95]

My health care providers seem to be gravitating towards doxy.me - I wonder how their security is compared to Zoom?

 

[daveak]

The UK government have started using Zoom for cabinet meetings, and have also been tweeting the meeting id and usernames of those taking part. I'm sure they've carried out a full security audit and decided the Ministry of Defence were wrong to ban it's usage.

 

[TiggrToo]

You should not trust a mission-critical communication software that is not open-sourced AND has never undergone a technical audit AND is not source available upon request.

And one release later a developer makes a fatal mistake and an attack vector is created.

People should never assume open source is somehow magically better than anything else. All applications, no matter how well written, or where the source is, are one change away from exposing a massive vulnerability.

 

[winglet69]

WebEx is giving unlimited free meetings right now.

Thanks for this, it does indeed have unlimited free meetings. I had a quick look a their security specs though, and they also use TLS encryption to their cloud, unencrypt, then re-encrypt for further transmission as standard. This is apparently to enable web recordings of meetings, as well as other functionality such as remote desktop sharing, saving of session data etc. Which makes sense, as the data passing through encrypted wouldn't be readable. There's always going to be a tradeoff between security and functionality.

The thing is, I can't see anywhere on the free account anyway, where this option for true End-to-End is available so perhaps it is only on the paid accounts?

All of this to say, it appears that WebEx for the vast majority of (free) users during the outbreak has the exact same implementation of "End-to-End" encryption (ie, not really) as Zoom. The one advantage would be that it (WebEx) doesn't have the 40 minute limitation of Zoom, so for that alone I may give it a try to see how it compares performance-wise and UI operability. It does also seem to force password use to join a meeting, which most may not like but I think is an important, if nuisance, feature.

Webex: What Does End-to-End Encryption Do?

Webex: Use End-to-End Encryption with Cisco Webex Meetings

 

[audiomatt]

This just seems so incredibly minor compared to the fact that the government basically can't seem feel comfortable with any online privacy whatsoever.

 

[TheShadowKnows!]

Apparently, the inescapable conclusion from the posts is that Zoom is one letter away from Doom.
Sorry, dudes, but a tin hat does not fit well while wearing my anti-viral mask.

 

[thisisnotmyname]

After what they did in bypassing MacOS security to allow one click meeting starts why has anyone trusted this company? This shouldn't be surprising at all. When someone sends me a Zoom invite I decline and tell them I won't install a product that knowingly created a zero-day vulnerability for my OS.

 

[Duna M.]

Still the Zoom conference is the best of the best in therms of large meetings, speed and video quality.