It appears the Zoom videos, which were recorded through the app’s software, were saved to a storage space that wasn’t protected by a password. The recorded videos can be found by anyone searching online due to the way they were named by Zoom. The security researcher who found the issue, Patrick Jackson, found 15,000 examples when he scanned the unsecured cloud storage
Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes.
Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary-school classes, in which children’s faces, voices and personal details were exposed.
Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes. Other videos include nudity, such as one in which an aesthetician teaches students how to give a Brazilian wax.
Zoom allows users who pay for the service to record meetings and save them to its own cloud service. These aren’t affected–rather, it’s videos saved to a person’s computer and then uploaded to a non-Zoom cloud service. When these services are left open, anyone can download the meetings–which themselves are easily searchable because they all have the same file name
Now, you might think that Zoom isn’t at fault for this–surely it can’t help what people are doing when not using its own cloud service? Not exactly: Part of the problem is caused by the fact that Zoom does not force you to create a unique file name when saving videos. This is an issue that needs to be sorted out pretty quickly.
A Zoom spokesperson emailed me a statement, which reads: “Zoom notifies participants when a host chooses to record a meeting, and provides a safe and secure way for hosts to store recordings. Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud.
“Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations.”
Some have also criticized Zoom’s default settings, which allow new people on a call to abruptly blast text and images onto other viewers’ computers — a screen-sharing feature that “zoombombing” trolls have exploited. Zoom, which said in statements to The Washington Post that the feature was designed for its core user base of businesses, recently changed that default for schools, allowing only teachers to share their screens.
What can you do
- Don’t Record Meetings
- Keep up to date – make sure you keep any installed version of the Zoom mobile or desktop app up to date
- Use passwords to protect your meeting–and never share your meeting ID
- Share the password securely
- Sign in with two-factor authentication” and enable this for “All users in your account.”