With people around the world practicing social distancing in response to the spread of Covid-19, video conferencing platforms have become an essential communication tool for organizations and individuals. Zoom has emerged as one of the most important products in this space and with that rise researchers have exposed a string of privacy and security vulnerabilities. As the Disconnect team read through these reported vulnerabilities, we took a closer look at Zoom and discovered thousands of personal Zoom videos have been left viewable on the open Web. We subsequently worked with the Washington Post who further investigated and wrote a an excellent report on these vulnerabilities.
Videos that were available publicly included extremely sensitive personal information. For example, videos discovered included one-on-one therapy sessions, health information associated with names and phone numbers, financial data, elementary schools classes that exposed personal details, intimate conversations, and nudity.
The vulnerable Zoom videos were saved in the cloud without a password and were easily discovered because Zoom names every video recording in a uniform way, so that an online search would reveal the videos for anyone to download and watch. The Washington Post did not reveal the naming convention and Zoom was alerted to the issue before publishing the story.
If you use Zoom or other video call software, check out the Washington Post's guide to protecting your Zoom calls. Most importantly, if a call (video or audio) is being recorded assume that anything you do or say could be made public and act accordingly. And if you are recording a video call, rename the file and if possible password protect access to the video.
During these trying times the entire Disconnect team is hoping you stay safe and protected online and off.