Zoom (MOBHouse Productions)

Even if you haven’t used Zoom before, chances are you might have read about it on social media. In the midst of the ongoing COVID-19 pandemic, Zoom rose to popularity as the go-to video conference platform to connect with families and friends during lockdown or quarantine. Of course, its surge in popularity also came with increased public scrutiny. Especially now that countless users have found themselves victims to a massive recording and user data leak.

With the MCO being extended once again and the fact that social distancing will be a part of our lives until the vaccine is ready, we will need to rely on platforms like this for many social interactions. But, having your user data stolen and sold for cheap is frightening. Who knows what the buyer or buyers will do with those information? Let’s discuss the problems that Zoom had and explore a little on the main question we are all asking: Is Zoom still safe for us to use?

Contrary to popular belief, the answer is yes. But, how and why?

As with any platform on the internet, the users play a big role in ensuring internet safety as well. Because if our password is literally ‘password’, we make ourselves easy targets for hackers. However, what measures did Zoom take to ensure user data protection and security?

Zoom (MOBHouse Productions)
Always keep yourself safe on the internet (Image: Threatpost)

Major Security Concerns Addressed?

Here’s what Zoom has fixed since they first made headlines for the leaked meeting recordings:

1) Issues on MacOS

Previously, Zoom implemented an unconventional installation method to bypass the requirement of user consent, which is a similar method used by other malware on MacOS. This questionable installation method is precisely what caused the risk for malware abuse. However, Zoom has since fixed this issue.

2) Stealing Windows Passwords

You can send links in the Zoom chatroom. However, the problem is that there was no distinction between regular web links and Universal Naming Convention (UNC) path links. This allowed attackers to potentially send UNC path links to unsuspecting users who would then click on them. That’s how hackers steal these users’ Windows login password as well as inject malware into their systems. Luckily, Zoom has also fixed this issue.

3) ‘Zoombombing’

Right now, Zoombombing is the most talked-about issue thus far. The naming system of Zoom meeting rooms allowed attackers to scan and retrieve meeting room IDs. It was as easy as taking candy from a baby. The attackers then join these non-password-protected rooms to display inappropriate images and texts. The easiest way to circumvent this issue is to set up a password for all of your Zoom meetings. Zoom has since enforced mandatory password protection as well as enabling a ‘waiting room’ feature by default, where participants will be placed in upon joining a Zoom meeting. These participants can only join the call if the host clicks accept.

4) Cryptographic Keys Issued By Chinese Servers

Zoom servers issue AES128 encryption keys to clients, which is all well and good. However, Citizen Lab discovered that several Chinese servers were issuing keys to meetings in which none of its participants are from China. This can potentially put Zoom under the jurisdiction of the China Internet Security Law, where Chinese authorities have the legal right to obtain Zoom’s users data and meeting recordings. Because of this, many global companies like Google, NASA, and even SpaceX have banned its employees to conduct virtual meetings via Zoom. Of couse, this issue has been fixed to prevent this from happening again.

5) Other Issues

There have also been several minor security issues since the increased usage of Zoom but they were quite promptly resolved.

Zoom also brought former Facebook and Yahoo Chief Security Officer, Alex Stamos, on board to be their security advisor. He will be working closely with Zoom’s engineering team.

Alex Stamos (MOBHouse Productions)
Alex Stamos, Former Facebook and Yahoo Chief Security Officer (Image: IT Pro)

Zoom Accounts For Sale On The Dark Web

Another recent headline you might have heard of is regarding the 500,000 Zoom accounts that were put on sale on the dark web for peanuts. This is unlikely due to a security breach on Zoom’s end. Instead, it is merely due to users reusing old passwords that have been breached in the past.

So, make sure to check if you have been compromised either from the current breach or past breaches via Have I Been Pwned.

Other good practices to prevent your accounts from being compromised include using a different password for every service and a password manager (such as LastPass, 1Password, BitWarden, etc) if you have trouble keeping track of the passwords. We can’t stress enough on how important this is. But please do not reuse the same password across all of your accounts. Another prevention practice is enabling two-factor authentication whenever possible.

Regardless of whether you use Zoom, these are the practices you should be doing anyway.

So, Can We Still Trust Zoom?

For highly sensitive work such as governments and big companies, using Zoom for internal communication is not a great idea as many of these companies and entities have banned their workforce to use Zoom.

But if you’re just an average joe like me who just want chat with friends or use it for education purposes, it should not be an issue. While there have been security concerns, they have been swift at addressing these issues. Now with a former Facebook and Yahoo Chief Security Officer on board, things will only get better.

Personally, I think Zoom still deserves a chance and it might become one of the safest video conferencing platforms out there due to their experience with security breaches. This definitely put them in some serious hot water because if these security breaches persist, who will want to use Zoom ever again?