Zoom is leaking user photos, some user information, because of an issue with how the app groups contacts.
Apparently zoom is leaking some email addresses, user photos and also allowing some users to initiate a video call with strangers because of an issue with how the app handles the contacts that it perceives work for the same organization, according to a report by Vice.
The video conferencing app will also group the contacts with same email domain into a Company Directory so you can, search for a specific person, see their photo and the email and enables to start a video call with that person.
This makes sense for a company with the employees on Zoom but app has also been grouping some people together, who signed up for service with a personal email, as reports by Vice.
That means an affected user might be able to see the personal email addresses and photos of people with their same domain in their Company Directory, even if none of those people are actually colleagues.
How much that issue is widespread is still unclear or how many domains may be affected. An affected user has also shared a screenshot with Vice showing 995 accounts in his Company Directory. This affected user also said he ran into the issue with the domains xs4all.nl, dds.nl, and quicknet.nl, which are all email domains from Dutch ISPs. Zoom said it blacklisted those domains after Vice brought them to the company’s attention.
Zoom has a very spotty track record with regards to the security issues. A security researcher discovered in last July, that a malicious website could open a Zoom video call on Macs without a user’s permission. But the video conferncing company quickly patched its software and uninstalled a local web server, that created the vulnerability. Check Point Research also published a report in January about a flaw that would have let hackers eavesdrop on calls. Zoom itself confirmed today that its video calls aren’t actually end-to-end encrypted, despite what its website may say.
“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson said to Vice in a statement. Zoom also directed Vice to a support page where users can request to have domains blacklisted. Zoom doesn’t group “publicly used domains including gmail.com, yahoo.com, hotmail.com, etc,” according to a support doc. Zoom was not immediately available for comment.