Zoom Conferencing App Exposes Users Email IDs And Photos To Other Users

One more privacy issue has been spotted in Zoom. This time, researchers have found that the Zoom app potentially exposes users’ email addresses and photos to other users. However this behavior seems more of a ‘feature’ than a ‘bug’.

Zoom Exposes Users Email IDs And Photos

Reportedly, Motherboard has found another privacy issue in the Zoom video conferencing app. As revealed in their blog post, the Zoom app exposes users’ email addresses and photos to others.

Initially, a user on Twitter posted about this messy feature.

further investigation revealed that the problem lies within the “Company Directory” of the app. This feature fetches a list of users with email addresses having the same domains. Ideally, this feature facilitates users to find relevant contacts, such as colleagues in the workplace.

However, this feature seems particularly aimed at business users. For people who signed up with their personal email addresses, this may be chaotic to pool up strange users together. In fact, it becomes more of a privacy breach than a feature.

Though it doesn’t force users to connect, it does, however, expose users’ email IDs and photos to strangers.

Regarding this feature, Zoom states,

By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.

Fixes Released To Previously Reported Issues

At the time of writing this article, this issue of leaking users’ details remains unfixed.

However, Zoom has recently addressed other issues reported in the past few days. In a dedicated message to users, Zoom CEO Eric S. Yuan shared a detailed timeline of all the changes they made while addressing the reported bugs.

Notably, they also addressed the matters highlighted lately, such as the UNC link issue in Zoom Windows Client, Zoom macOS Client vulnerabilities reported by Patrick Wardle, and the removal of the LinkedIn Sales Navigator app responsible for unnecessary data disclosure and attendee attention tracker feature.

They also pledge to take other measures to ensure transparency and security, such as enhancing their bug bounty program.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil