Zoom can make your private chats public, and other horrors

Another day, another discovery of gaping holes in Zoom's security architecture.


Earlier this week it emerged Zoom users could have their Windows username and password compromised via the video-conferencing service. Now it turns out private messages sent in group video calls might be visible after the fact if the call is record, because the messages are saved using the feature that keeps minutes of meetings.

A new security report pokes some serious holes in Zoom's claims that its service is secure and its users' sessions are private. A detailed assessment led by the University of Toronto's Citizen Lab, and reported by The Intercept, reveals that Zoom uses "AES-256" encryption for private meetings. Which sounds reassuring. Except, as researchers Bill Marczak and John Scott-Railton have discovered, there's a problem with that.

"We find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption," their report says.

For all the claims that Zoom is trying to do better, the company has to date failed to deliver meaningful changes to how its security works. Granted, it's suddenly dealing with hundreds of millions of users instead of tens of millions, but that just makes it all the more pressing to ensure it delivers on its promises of a confidential and secure user experience.

There's a problem with some keys — As The Intercept points out, Zoom occasionally uses keys issued by servers in China. This isn't transparently communicated to users, and it's something that the company's chief product officer, Oded Gal, apologized for this week. On the subject of mixed messages around encrypted content, Gal wrote that Zoom was apologetic "for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption."

Private messages aren't really private — In late March, Twitter user @HJHaldanePhD noted, "If you're having a committee meeting via Zoom and you use the chat function to privately write to someone, your colleagues may not see it in real time, but it shows up when the chat is downloaded and put in the minutes folder." Others have highlighted this flaw, too. Later on, Zoom confirmed to Forbes that this is indeed true under specific settings.

"If a host chooses to record a Zoom meeting locally," the company's representative explained, "then chats sent publicly, as well as any private chat exchanges that the host who chose to record the meeting participated in during session, are saved."

Get it together, Zoom — These findings should be a source of concern and an issue worth investigating not only for corporate and commercial enterprises but also the growing number of schools relying on Zoom. Teachers and administrators may share deeply personal information about students in chats they think are private — including progress reports, behavioral health information, disciplinary records, and more.

Zoom CEO Eric Yuan has said that more than 90,000 schools over 20 countries have been using Zoom for remote lessons. However, some of them have stopped using the service in recent weeks because of the growing list of privacy concerns. Many corporate users might soon decide to do likewise if the situation doesn't improve drastically, and fast.