Zoom has nixed a feature that came under fire for “undisclosed data mining” of users’ names and email addresses, used to match them with their LinkedIn profiles.
The feature, the LinkedIn Sales Navigator, is a LinkedIn service used for sales prospecting. When users enter a web conference meeting, the tool automatically sent their user names and email addresses to an Zoom internal company system. This system would then match this data to their LinkedIn profiles, according to a New York Times investigation.
Per The New York Times, the tool also automatically allowed other meeting participants to covertly access this LinkedIn profile data, without Zoom asking for users’ permission or notifying them. That means if a user is in a Zoom meeting – even if they aren’t using their real names – other participants could collect information about their real names, locations, employer names and job titles.
The tool was removed on Thursday as part of several sweeping changes Zoom made in response to snowballing security and privacy concerns. Zoom founder Eric Yuan said in a Wednesday post responding to the concerns that Zoom will freeze the development of its features and instead focusing on security and privacy issues.
“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address and fix issues proactively,” said Yuan. “We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.”
With more employees working from home over the past few weeks due to the coronavirus pandemic, Zoom has ballooned in popularity to include 200 million daily meeting participants in March. To put that into context, the maximum number of daily meeting participants on Zoom in December was 10 million.
But questions over what data Zoom collects – and how it is secured – have also increased. On the privacy front, Zoom this week removed a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage. According to the Motherboard report last week that originally disclosed the privacy issue, the transferred information included data on when a user opened the app, a user’s time zone, device OS, device model and carrier, screen size, processor cores and disk space.
The issue left the public — including New York attorney general, Letitia James — demanding more information about how Zoom secures user data. Some have even prohibited use of the video-conferencing app — including, according to Reuters, Elon Musk’s SpaceX rocket company, which cited “significant privacy and security concerns.”
On the security side of things, Zoom has now patched several recently-disclosed vulnerabilities – including two zero-day flaws uncovered this week in the conferencing platform’s macOS client version, and a UNC path injection vulnerability in the Zoom Windows client, which could enable attackers to steal Windows credentials of users.
Moving forward, Yuan said Zoom would be “enhancing” its current bug-bounty program, and creating white-box penetration tests to “further identify and address issues.”
“Transparency has always been a core part of our culture,” said Yuan. “I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform.”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.