Zoom Cybersecurity and Privacy Strategies

January 19, 2023
Cayley Wetzig, Head of Marketing Communications

The spread of COVID-19 drove many organizations to adopt work-from–home policies; as of 2022, one-quarter of Americans were working from home. As a result, more people than ever began using online conferencing tools, like Zoom, to communicate and collaborate with their colleagues, which led to cybersecurity concerns.

Zoom, a platform known for its simplicity and reliability, was the platform that gained the most popularity thanks to its parent company’s rapid adaptation to change and improving features for users. Similar apps like Skype and Teams received less attention from Microsoft, which allowed Zoom to quickly become a favorite for organizations and teams across the world for its simplicity.

Growth Comes With Risk

By the beginning of April 2020, the company’s shares had risen more than 200% compared to the start of the year, even after the S&P 500 dropped around 20% in the same time period. While share price has leveled out again, Zoom’s engineering operations team has continued adding servers and other equipment at each of the company’s 17 data center locations to accommodate its fast-growing user base.

However, rapid transformational change can come with risks. While Zoom is convenient and easy to use, any video conference application can still pose risks for users, including the possibility of eavesdropping, data theft, privacy loss, harassment, and more. And owing to its rapidly growing list of features, Zoom has suffered some privacy faux pas over the past few years.

Zoom Security Flaws: Resolved Issues

In this article, we’ll cover everything you need to know about cybersecurity and privacy in Zoom, including the security vulnerabilities that have arisen over the past few years. At the time of writing, there are no known, unpatched vulnerabilities, but several have surfaced in recent months.

Below, you’ll find notable security vulnerabilities that arose during Zoom’s period of considerable growth during the COVID-19 pandemic.

1. Mac Zoom Client Vulnerability (Zoom Fixed This)

In July 2019, a vulnerability was discovered in Zoom’s Mac desktop client: Malicious websites had the ability to turn on a Mac’s webcam without the user’s knowledge.

This vulnerability stemmed from how Zoom allows users to start or join a meeting simply by clicking a web link, which creates a local web server that runs on the user’s machine. While this is convenient for users, at the time that it was launched, it also enabled meetings with video and audio to be launched without additional user authorization. Thus, it allowed attackers to start a meeting and turn on a computer’s camera without first gaining the computer’s user authorization.

Users were able to protect themselves from this vulnerability by disabling Zoom’s ability to turn on their webcam when joining a meeting. However, this security vulnerability was patched relatively quickly.

2. Zoom Meeting ID Vulnerability (Zoom Fixed This)

In January of 2020, researchers found that it was possible to exploit the way Zoom generates URLs for virtual conference rooms to eavesdrop on meetings. By using automated tools to generate random meeting room IDs, researchers found during tests that they could generate links to actual Zoom meetings without password protection in around 4% of instances.

Zoom meeting IDs were composed of 9, 10, or 11 digits, and at the time, if you didn’t enable the “Require Meeting Password” option or enable Zoom’s Waiting Room – which allows manual participant admission – these 9, 10, or 11 digits were the only thing stopping unauthorized persons from connecting to your meeting. They were also easily cracked by hackers.

Users could protect themselves from this vulnerability by ensuring they had the latest version of Zoom, as the software was updated to mitigate this problem.

Three new Zoom vulnerabilities were discovered in late March and early April 2020. These were not considered as serious as earlier vulnerabilities, as they required more work to execute.

Some attack vectors required hackers to access a victim’s computer, while another employed social engineering to trick users into interacting with bad actors. However, Zoom users impacted by these vulnerabilities could still suffer from data theft and abuse. Zoom addressed and patched these vulnerabilities relatively quickly.

3. Zoom Mac Security Vulnerability (Zoom Fixed This)

A security researcher named Patrick Wardle found a critical security vulnerability in August 2022, which could permit a hacker to control a user’s Mac, amending files as they saw they saw fit. Zoom patched the issue quickly, so ensuring your software is up to date will help you to avoid this issue.

4. Indian Cybersecurity Agency Identifies 2 Vulnerabilities (Zoom Fixed This)

In September 2022, the Indian Computer Emergency Response Team (CERT-In) highlighted a number of security vulnerabilities in Zoom’s software. One could supposedly allow a hacker to access a Zoom meeting without authorization, while the other may allow a malicious actor to access audio and video files without authorization. Zoom took around a month to roll out a fix for this flaw.

Unfortunately, these security holes were directly attributed to the security patch released in August, in order to fix the Mac issue. This highlights the ongoing need for vigilance and comprehensive cybersecurity education, as patches can often introduce new security risks that weren’t present in software before.

Zoom Privacy Concerns

Aside from security vulnerabilities, you also need to be mindful of potential privacy flaws that could expose your information without your knowledge. Security flaws such as these can be bugs that are occasionally discovered, oversights in the way that a product or service has been designed, or simply poorly worded privacy policies that share your data in an excessive manner.

As a result, we’ve highlighted some examples of these types of concerns. Bear in mind that certain features are no longer available.

1. Zoom Knows If You Are Paying Attention To The Call (Zoom Removed This)

Whenever you host a call, you used to have the option to activate Zoom’s attendee attention tracking feature. This feature would alert the call’s host anytime someone on the call “does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds.”

In other words, if you were on a Zoom call and you clicked away from Zoom, the host of the call would have been notified after 30 seconds, regardless of whether you minimized Zoom to take notes, check your email, or respond to a question on another app. This feature only worked if someone on the call was sharing their screen, but Zoom removed the feature in 2020 as part of their “commitment to the security and privacy of users.”

2. Zoom Collects and Shares Data

According to the company’s privacy policy, Zoom collects data on you, including your name, physical address, email address, phone number, job title, and employer. Even if you don’t set up an account with Zoom, it will collect and keep data on the type of device you are using and your IP address. An IP address can be used to infer a geographical location, and as such, using Zoom in conjunction with a VPN is recommended if you’re interested in greater privacy.

While Zoom asserts they don’t sell personal data to third parties, “it does share personal data with third parties for those companies’ “business purposes.” And that may include passing your personal information to Google. You should also bear in mind that if you’re using Zoom software that was purchased on license from a software vendor other than Zoom itself, that provider may be able to access your personal data and content.

According to the privacy policy, this includes “meetings, webinars, and messages.” There doesn’t appear to be any clarity on whether those third parties can access simple information, such as the time and date of a meeting or a full video and audio recording.

3. Zoom Gives Hosts Significant Power

These capabilities include the ability to record meetings and order transcriptions, as well as the responsibility for keeping any meeting data safe, whether it’s stored on a laptop or under a host’s password in Zoom’s cloud.

How To Protect Your Data

There are three easy ways to protect your privacy during Zoom calls:

1. Use two devices during Zoom calls.

If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees. This way, you will not trigger an attention-tracking alert.

2. Do not use Facebook to sign in.

While this saves time, it’s a poor security practice and dramatically increases the amount of personal data Zoom can access.

3. Look for an icon that tells you when a meeting is being recorded by the host.

If you feel comfortable doing so, ask your host to turn on the feature that requires participants to provide consent before a recording can begin. If you’re hosting a video conference, we suggest you use the feature, which is turned off by default.

Zoom Virtual Events

With many now confined to home, people are increasingly using Zoom to host virtual events. Zoom has published its own tips and recommendations for maintaining security and privacy while managing such events, in order to avoid unwanted gatecrashers:

When you share your meeting link on social media or other public forums, that makes your event extremely public. ANYONE with the link can join your meeting.
Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous meeting, and you don’t want unexpected people crashing your personal virtual space after the party’s over.
Familiarize yourself with Zoom’s settings and features so you understand how to protect your virtual space when you need to. For example, the Waiting Room is an extremely helpful feature that allows hosts to control who comes and goes.

1. Manage Screen Sharing

The first rule of the Zoom Club: Don’t give up control of your screen.

You do not want random people in your public event to take control of your screen and sharing unwanted content. You can restrict the ability to screen share from the host control bar both before and during the meeting.

2. Manage Your Participants

Zoom offers a number of options for managing meeting participants:

Allow only signed-in users to join: If someone tries to join your event but isn’t logged on to Zoom with an email to which the invitation was sent, they will receive the message “This meeting is for authorized attendees only.” This option is useful if you want to control your guest list and invite only those you want to your events, such as colleagues or other students at your school.
Lock the meeting: It’s always smart to lock your front door, even when you’re inside the house. When you lock a Zoom meeting that’s already started, no new participants can join, even if they have the meeting ID and password (if you have required one).
Set up your own two-factor authentication: This option lets you generate a random Meeting ID when scheduling your event and require a password to join. You can then share that Meeting ID on Twitter but send the password only to invited participants via DM.
Remove unwanted or disruptive participants: You also have the option to remove participants from your meeting.
Put participants on hold: You can also put everyone else on hold, and the attendees’ video and audio connections will be momentarily disabled.

Other options include disabling a participant’s video, muting participants, blocking file transfer through the in-meeting chat, disabling the private chat function, and more. For more detailed instructions, check the above links as well as reviewing top advice for securing your meeting.

3. Try the Waiting Room

One of the best ways to use Zoom for public events is to enable the Waiting Room feature. Just as its name suggests, the Waiting Room is a virtual staging area that stops your guests from joining until you’re ready for them. It’s a bit like the velvet rope outside a nightclub, with you as the bouncer carefully monitoring who gets to enter.

Meeting hosts can customize Waiting Room settings for additional control, and you can even personalize the message attendees see upon entering the Waiting Room so they know they’re in the right place. The Waiting Room is an optimal location for posting any rules/guidelines for your event, such as its goals and who it’s intended for.

This video on how to set up Waiting Rooms provides additional details.

Summary

Zoom is focused on making something that was formerly complicated, such as video conferencing, extremely simple for users. However, technology almost always involves a trade-off between convenience and security, and it’s common for the very technology that we use to be more productive to put us and our personal information at risk.

Now you know how to protect yourself while using Zoom, and how to avoid eavesdropping, data theft, privacy loss, and online harassment while using the tool. If you’re using Zoom across an organization, you should ensure that your workforce is fully educated on the risks that may be posed to cybersecurity by the software and tools they use.

In summary, the most important items to remember about cybersecurity and privacy in Zoom are the following:

Keep your Zoom software up to date
Disable Zoom’s ability to turn on your webcam when joining a meeting
Do not use Facebook to sign in
When hosting an event, manage your meeting settings and participants
When participating in meetings, be wary of whether the meeting is being recorded
Read the privacy policy and terms of service before using any software. If you aren’t satisfied, use an alternative
Ensure you choose the best cybersecurity training for staff who need to remain up-to-date on best practices

Remember, even if you choose not to use Zoom, many of these guidelines also apply to other video conference applications and other digital tools. Stay safe!

Protect Your Organization from Phishing

Article

How Project-Based Learning Is Transforming Cybersecurity Education

Project-based learning can prove incredibly useful to bridge the gap between theory and practice

Article

The Crucial Role of Entry-Level Cybersecurity Positions

With cyber threats increasing daily, entry-level cybersecurity roles can be critical to maintaining enterprise

Article

Cybersecurity Education is Getting an Upgrade: How Immersive Bootcamps are Leading the Way

Elevate cybersecurity education: explore Cybersecurity Apprenticeship Program for hands-on learning and job opportunities.

Article

3 Surprising Ways to Change the Narrative for Diversity and Inclusion in Cyber

A diverse and inclusive team is important for identifying risks and vulnerabilities and developing

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.