One more privacy issue has been spotted in Zoom. This time, researchers have found that the Zoom app potentially exposes users’ email addresses and photos to other users. However this behavior seems more of a ‘feature’ than a ‘bug’.
Zoom Exposes Users Email IDs And Photos
Reportedly, Motherboard has found another privacy issue in the Zoom video conferencing app. As revealed in their blog post, the Zoom app exposes users’ email addresses and photos to others.
Initially, a user on Twitter posted about this messy feature.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE
— Jeroen J.V Lebon #UEMFirst :wq (@JJVLebon) March 23, 2020
further investigation revealed that the problem lies within the “Company Directory” of the app. This feature fetches a list of users with email addresses having the same domains. Ideally, this feature facilitates users to find relevant contacts, such as colleagues in the workplace.
However, this feature seems particularly aimed at business users. For people who signed up with their personal email addresses, this may be chaotic to pool up strange users together. In fact, it becomes more of a privacy breach than a feature.
Though it doesn’t force users to connect, it does, however, expose users’ email IDs and photos to strangers.
Regarding this feature, Zoom states,
By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.
Fixes Released To Previously Reported Issues
At the time of writing this article, this issue of leaking users’ details remains unfixed.
However, Zoom has recently addressed other issues reported in the past few days. In a dedicated message to users, Zoom CEO Eric S. Yuan shared a detailed timeline of all the changes they made while addressing the reported bugs.
Notably, they also addressed the matters highlighted lately, such as the UNC link issue in Zoom Windows Client, Zoom macOS Client vulnerabilities reported by Patrick Wardle, and the removal of the LinkedIn Sales Navigator app responsible for unnecessary data disclosure and attendee attention tracker feature.
They also pledge to take other measures to ensure transparency and security, such as enhancing their bug bounty program.
Let us know your thoughts in the comments.