According to a new report by Motherboard (Vice), Zoom has been leaking personal information. Those of you who don’t know, Zoom is a popular video-conferencing platform.
Zoom has been leaking personal information thanks to 'Company Directory' setting
In any case, the source says that “Zoom is leaking personal information of at least thousands of users. Including their email address and photo, giving strangers the ability to attempt to start a video call with them through Zoom”.
That doesn’t sound good at all, now does it. The issue seems to be with Zoom’s ‘Company Directory’ setting. That setting seems to be automatically adding other people to a user’s lists of contacts if they signed up with an email address that shares the same domain.
This feature is supposed to make it easier to find a specific colleague to communicate with when the domain belongs to an individual company. This feature hasn’t really been coded properly, as there’s a loophole.
Multiple Zoom users claim they signed up with personal email addresses, but Zoom placed them together with thousands of other people, if they all worked at the same company. That essentially exposed their personal information to one another.
"I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses". said Barend Gehrels, a Zoom user who was impacted by this issue.
He also sent a screenshot as proof. That screenshot shows his Zoom profile, with nearly 1,000 different accounts listed in the ‘Company Directory’ section. He mentioned that those are people he doesn’t know.
He also added that his partner had the same issue with another email provider. She had over 300 people listed in her contacts.
One user discovered the problem, and explained it
Mr. Gehrels said that "If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo, etc.), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them."
On its official website, Zoom says: "By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who's email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section."
Zoom doesn’t really exempt all domains that are used for personal email, however. Mr. Gehrels said he stumbled upon the issue with domains from a number of Dutch internet service providers (ISPs). Providers including xs4all.nl, dds.nl, and quicknet.nl.
Dutch IPS XS4ALL was actually contacted regarding the issue. The company said they can’t do anything about it, that Zoom should be the one to fix that.
Now, this is not the only issue that Zoom had lately. Last week, the company updated its iOS application after Motherboard found it was sending analytics data to Facebook.