As it faces a major lawsuit, Zoom is taking a significant step to bolster security and privacy efforts by recruiting an industry heavy-hitter – former Facebook CISO Alex Stamos – to provide special counsel. It has also named third-party expert security advisory teams.
The popular videoconferencing service is making the changes as it faces a class-action lawsuit, filed by one of its shareholders on Tuesday in the U.S. District Court for the Northern District of California. It alleges that the company made “materially false and misleading statements” that overstated its privacy and security measures, and it claims that Zoom didn’t disclose its lack of end-to-end encryption.
Zoom has experienced a raft of security-related growing pains during a boom in usage amid the COVID-19 lockdown, as people take work environments, school lessons and dates with friends online. Zoom now says that it aims to clean up its issues from both the product side and by taking a high-level executive approach, Zoom founder Eric Yaun said in a blog post published Wednesday.
“Zoom has seen tremendous growth and new use cases emerge over the past few weeks, and we are committed to ensuring that the safety, privacy and security of our platform is worthy of the trust of all of our users,” he wrote.
A New CISO and Advisory Councils
The high-level approach that Stamos refers to includes recruiting Stamos, formerly of Facebook and of Yahoo before that, as an outside advisor to assist with a comprehensive security review of Zoom.
Stamos is no stranger to dealing with the data security of an immense user base. He is well known for leading the team in charge of understanding and mitigating information security risk for Facebook’s 2.5 billion users, before leaving the company in 2018 over its handling of data-security practices surrounding the Cambridge Analytica fiasco and Russian interference in the 2016 U.S. presidential election.
Stamos began keeping his eye on Russian activity on Facebook in July 2016 and wanted the company to reveal his findings to the public, but top executives like Mark Zuckerberg had a different opinion on the matter, according to published reports at the time.
Stamos — currently an adjunct professor at Stanford’s Freeman-Spogli Institute and a visiting scholar at the Hoover Institution — said he felt compelled to assist Zoom even though he is consumed by other commitments for a number of reasons.
In a blog post on Medium published Wednesday, Stamos said not only is he impressed with Zoom’s sudden rise from “a mid-sized enterprise IT company to a critical part of the lives of hundreds of millions in the space of a couple of months,” but also the technical challenges the company faces are “too interesting to pass up.”
Stamos also said that he wants to improve Zoom’s security posture because it has become an essential service in his own, personal and professional post-COVID-19 world, with he and his family using it on a daily basis to manage their lives during the pandemic.
“The adaptation of a successful enterprise collaboration tool into virtual classrooms, virtual doctor’s offices and a myriad of other applications … has created privacy, trust and safety challenges that no company has ever faced,” he wrote. “Zoom has some important work to do in core application security, cryptographic design and infrastructure security, and I’m looking forward to working with Zoom’s engineering teams on those projects.”
Meanwhile, Yuan hopes the formation of the company’s “CISO Council,” which includes executives from HSBC, NTT Data, Procore and Ellie Mae, as well as an advisory board of security leaders from companies such as VMWare, Netflix and Uber, will help remedy these and other issues that arise with Zoom’s continued proliferation.
“The purpose of the CISO Council will be to engage with us in an ongoing dialogue about privacy, security and technology issues, and best practices — to share ideas and collaborate,” he said.
Meanwhile, Zoom faces a class-action lawsuit. Plaintiff Michael Drieu, a shareholder who filed on behalf of all other shareholders – alleges that Zoom engaged in deception when it claimed that its product supported end-to-end encryption. The suit alleges that Zoom only used encryption for the transport link, allowing the service to still access data.
Additionally, the suit alleges that Zoom has put users “at an increased risk of having their personal information accessed by unauthorized parties, including Facebook.”
Zoom recently had to kill a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a Motherboard report disclosed that the transferred information included data on when a user opened the app, a user’s time zone, device OS, device model and carrier, screen size, processor cores and disk space.
Product Changes and Bans
In addition to bringing in experts to help sort out its myriad issues, the company also recently made a key tweak to its Zoom client to mitigate the most popular attacks by threat actors that have surfaced during the surge in use: “Bombing” Zoom meetings with porn, hate speech and other disruptive tactics.
It did so by removing meeting ID numbers from the title bar of its client interface to mitigate the attacks from threat actors. Before the tweak, anyone could join a Zoom meeting if they knew the meeting link, which many users would send via social-media channels. Removing the link from the client now makes it impossible for threat actors to share screen shots of meetings on the internet to encourage nefarious activity from uninvited participants, the company said.
However, Zoom-bombing and sharing data with Facebook are just two of the problems that has plagued the service since activity had a major uptick. Other security issues that have surfaced include the discovery and subsequent patching of two zero-day flaws in its MacOS client that could give local, unprivileged attackers root privilege allowing access to victims’ microphone and camera.
And, last week the company eliminated a feature called LinkedIn Sales Navigator that came under fire for “undisclosed data mining” of users’ names and email addresses, which the service used to match them with their LinkedIn profiles.
All of this has led to some who had been depending on the service to ban it because of security and privacy issues.
These include schools in New York City: Problems in the city led to a subsequent inquiry by the New York Attorney General about Zoom’s data security.
Google, too has banned the service, according to reports. It reportedly told employees whose work laptops have the Zoom app installed that the software would stop working starting this week, because of security concerns.
Elon Musk’s rocket company SpaceX recently banned its employees from using Zoom, due to “significant privacy and security concerns.” And, Taiwan has issued a parliamentary order telling government agencies, and some private entities, that “underlying video software to be used should not have associated security or privacy concerns, such as the Zoom video communication service.”
Tara Seals contributed to this article.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.