Zoom has removed a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage.
In a Friday post, Zoom that it has now removed the “Login with Facebook” software development kit (SDK) for iOS, which was the feature tied to the data sharing: “Our customers’ privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client, and have reconfigured the feature so that users will still be able to log in with Facebook via their browser,” according to Eric Yuan, founder of Zoom.
Zoom shied away from saying that they intended to share this information, instead stating: “We were made aware on Wednesday, March 25, 2020, that the Facebook SDK was collecting device information unnecessary for us to provide our services.”
The Facebook SDK for iOS is not an uncommon feature for apps; it allows Zoom users to more easily sign into the conferencing platform using their Facebook credentials. In the past, these types of SDKs have been misused to scrape data from mobile apps.
Chris Hazelton, director of security solutions at Lookout, told Threatpost that Lookout researchers analyzed Zoom’s most recent iOS version (4.6.9) as of Monday morning, and confirmed they are still communicating with Facebook APIs in the current iOS version of the Zoom app. However, that doesn’t indicate that the data-sharing feature hasn’t been killed, Hazelton said, “only that the app is still communicating with Facebook.”
“Zoom did update their app with version 4.6.9, which was updated to three days ago for ‘Improvements to Facebook Login,'” Hazelton told Threatpost. “The app communicates with IPs in the US, China, India, and Germany. This is to leverage APIs from Alibaba, Box, Dropbox, Facebook, Google, Microsoft, Ringcentral, WeChat and QQ.”
In Zoom’s Friday update, Yuan stressed that information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names or notes. The full list of data that was being is as follows:
Yuan said that users need to update to the latest version of Zoom’s application, which has removed the Facebook data transfer. “We sincerely apologize for the concern this has caused, and remain firmly committed to the protection of our users’ privacy,” he said. “We are reviewing our process and protocols for implementing these features in the future to ensure this does not happen again.”
Terence Jackson, chief information security officer at Thycotic, told Threatpost that app users have to be diligent when using “log in” features.
With more employees working from home over the past few weeks due to the coronavirus pandemic, Zoom has surged in popularity. However, concerns around privacy and security of the web conferencing system have also grown.
The Electronic Frontier Foundation (EFF), for instance, recently warned of various potential privacy-invading Zoom features. For instance, the host of Zoom calls have the ability to monitor activities of attendees while screen sharing. Zoom administrators also can see detailed views on how, when and where users are using Zoom.
Last week, officials at Zoom released tips for users of their video-conferencing platform to help avoid getting “Zoom-bombed” by trolls and even more serious threat actors during online meetings.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.