Zoom, a video conferencing app that became infamous for sharing analytics data with Facebook, is once again in the news for an alleged vulnerability. Zoom automatically converts all links into clickable links, including network paths. So, if strangers, who could easily join large chat sessions, post links, and if a chat participant clicks on that link, it can easily allow hackers to steal the Windows username and password of the participants.
According to a report by mspoweruser, when a chat participant clicks on a malicious link, Windows automatically tries to, or logs in to that network, sending the username and NTLM password hash (an authentication protocol by Microsoft), which can easily be cracked. Zoom has been apprised of the issue.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE
— Jeroen J.V Lebon (@JJVLebon) March 23, 2020
Meanwhile, another flaw in Zoom is that it seems to leak email addresses, photos, and allows some users to initiate a video call with strangers. According to Vice, this is because of a feature called ‘Company Directory’ that allows users to add others in the same domain. This makes it easier for employees to call others easily. However, the feature is reportedly treating some private domains as a part of a company and adding random people in the domain.
It becomes a matter of grave concern because office-goers globally are using the app extensively due to the work-from-home mandate. In India, Zoom has become the top app under the free section of the Google Play Store. It is being used more than other popular apps, like WhatsApp, TikTok, and Instagram. As per Apptopia, the daily downloads of the video conferencing app had increased from around 1,70,000 in the middle of February to nearly 2.5 million by the end of March.