Zoom Quickly Responded to Security Ails: Passwords Are Set, and Waiting Rooms Are Enabled Automatically

Businesses all over the world are trying to keep their operations going despite the current coronavirus pandemic, and they face many different challenges. One of them is keeping in touch with employees while everyone is at home, and in light of this, it's little wonder that the number of people using an online video conferencing service Zoom grew from 10 million in December 2019 to over 200 million in late-March. It shouldn't be a surprise that the platform has attracted a lot of attention both from cybercriminals and from security researchers, either. By their own admission, the people in charge of the platform are finding this a bit overwhelming.

Indeed, they are forced to deal with quite a lot of problems. Security expert Graham Cluley described Zoom's attitude toward security and privacy as "less-than-perfect," and it's not difficult to see what he means. The service was found to share quite a lot of data with Facebook, including details that belong to people who don't have a Facebook account. Worse still, most of the users didn't have the first clue about it. A couple of weeks ago, Zoom fixed the issue and apologized.

Later, journalists discovered that the platform incorrectly uses some technical terms. Hosts of Zoom meetings have an option, which, if enabled, tells participants that the conference is end-to-end encrypted, when, in fact, it's running through a regular HTTPS connection. For most organizations, an HTTPS connection is good enough, but Zoom's developers admitted that the term "end-to-end encryption" might have misled some people, and they apologized for the second time. Last week, they said "sorry" yet again.

Zoom changes meetings' default setup in a bid to fight zoombombing

On April 1, Eric Yuan, Zoom's CEO, used the platform's blog to publish a message to users, saying that over the last few weeks he and his team have been implementing new measures to try and solve quite a few issues. Among them is the so-called zoombombing.

The term was coined recently when the increasing number of Zoom users brought about a wave of uninvited guests to the meetings hosted on the platform. The problem lay with the fact that most hosts of Zoom meetings wouldn't protect their conferences with a password. As a result, anyone with the meeting ID would be able to participate, listen to what others were saying, and even share their screen. Zoombombing an online yoga class probably isn't such a big problem, but when you consider that the service is used by top-flight politicians, you'll see that the issue is serious.

Zoom users have always had the mechanisms to keep unwanted guests out. As we mentioned already, you can protect a Zoom meeting with a password, and as a host, you can also set up a "waiting room." All your guests will be placed in it until you let them in manually.

The fact that zoombombing became such a thing, however, shows that up until recently, most users didn't bother with these options. Now, though, they'll need to do it because from now on, password protection and waiting rooms will be enabled by default.

These actions should have a positive effect on the security of Zoom meetings. But will they be enough?

Users should think about their own security

In his blog post, Eric Yuan openly admits that the service he is in charge of hasn't done enough to properly protect its users' privacy and security. He appears to be really disappointed about this fact, and he seems to be determined to set the record straight. In addition to enabling some of the meetings' security features by default, Zoom's developers have tackled other privacy issues, and Yuan promised that over the next few months, the focus will be moving away from introducing new features and onto ensuring that the millions of new Zoom users communicate securely.

On the face of it, at least, it looks like the platform wants to learn from its past mistakes. Let's hope that users have the same mindset, however, because they, too, are responsible for their own security.

Indeed, thanks to the changes Zoom implemented, a video conference should now be better protected, but even so, all the work could be undone by a simple user mistake. Although the meetings are protected with a password by default, people who receive a direct link can access them without authentication, which means that you should be careful who you share your links with. You also shouldn't forget that, as we've mentioned numerous times on these pages, a weak password is almost as good as no password at all.

Despite the new precautions, people continue to criticize Zoom for not doing enough to protect its users' privacy. What these people wouldn't tell you, however, is whether they have done their part. Unfortunately, the countless stream of cybersecurity incidents shows that often, they haven't.