ESET has published instructions to help you stay safe if you continue to use the Zoom app. We quote the post:
As millions of people stay home to stem the pandemic of COVID-19, videoconferencing applications are experiencing explosive growth in work, education and leisure. Of all the platforms, the Zoom app seems to be the one that plays the leading role.
However, the huge demand from individuals and companies has helped to reveal the privacy and security issues faced by this platform, which is now used for daily video conferencing even by British Government (It is very interesting of course that the British Ministry of Defense prohibits its employees from using this application).
The app's creator has been criticized on many fronts, from privacy advocates and security experts to U.S. Attorneys General Senator Richard Blumenthal, or even the FBI. The bad news has increased in recent days, forcing the company to respond to what is being attributed to it.
Earlier this month, company founder and CEO Eric S. Yuan apologized for the problems and outlined the steps taken to enhance the security and privacy of Zoom. He also announced the freeze on the addition of new features for next 90 days, adding that all the company's resources and technicians will "focus on resolving issues of trust, security and privacy".
Here are five key points Zoom technicians focused on last week:
• As part of the privacy statement, Zoom failed to mention that the iOS version of the app sends analytics data on Facebook even if users do not have a Facebook account, according to data posted by Vice last week. The company recognized the problem and removed the Facebook Software Development Kit (SDK) from iOS. However, a lawsuit against Zoom is pending in California.
• Despite the assurances to the contrary, according to a survey conducted by the news organization The Intercept, video conferences are made through the application do not support end-to-end encryption. Zoom apologized and clarified that it uses TLS encryption. The noticeable difference is that this method allows the company to access users' communication.
• Several security vulnerabilities in the application were also identified, although these were quickly fixed. In the Windows version, a vulnerability (UNC path injection flaw) was detected that could reveal the login credentials of Windows users and lead to execution of arbitrary orders on their devices. Two more bugs, which affected the release of Zoom application for Macs, allowed someone to attack and take control of the computer.
• The company also removed the "attendee tracking" feature of the Zoom app, which allowed the video conferencing host to check if participants were watching closely when the app was in screen sharing mode.
Finally, after many complaints, the FBI issued a warning that trolls and pranksters were harassing private video calls and online school classrooms.
These issues may have affected a large number of people, as in the past three months, the number of users of the platform has jumped from 10 million to 200 million. As Yuan admitted, the Zoom app was not ready for this unpredictable development. "There is now a wider range of users who use our product in thousands of unexpected ways, putting us in front of challenges we did not anticipate when the platform was created," he said.
ESET: How to stay safe
According to ESET, even in this age of remote work we must not overlook the issue of privacy and security (and not just when it comes to videoconferencing). As impressive and feature-rich as software is, it can expose us to new threats.
According to ESET experts, these are the most effective steps you can take to protect your security and privacy when using the Zoom app:
• Use passwords to protect conferences and / or control participants with the "Waiting Room" feature offered by Zoom.
• Allow screen sharing only on the host.
• Use the latest version of Zoom.
• Do not post links or meeting IDs on social media.
• Prefer to use meeting IDs rather than links when inviting other Zoom participants, as there has been an increase in malicious domains trying to take advantage of the app's unexpected success.