Popular video conferencing app Zoom has come under fire for numerous security flaws in the last few days, and has now issued a public apology plus a plan of action for resolving the issues.
The announcement came in a blog post released to Zoom's website on April 1 and attempts to mitigate some of the bad press the company has received over the last two weeks.
The blog post serves a few purposes. The first is to act as a repository to previously acknowledged issues, citing that the company has been working to fix security issues as they arise. The announcement also explains what the company has been working on, including an extensive section on Zoom's role in elementary and secondary classrooms.
The second purpose of the blog is to outline the company's plan of action for addressing ongoing issues. The Zoom team is giving themselves 90 days to fix existing problems.
In those 90 days, Zoom is enacting a feature freeze — no further development will happen on Zoom products until security issues have been resolved. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.
Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." They plan on preparing a transparency report to handle requests for data, records, and content. The company plans on hosting a weekly webinar to provide security updates to Zoom users.
"We are actively investigating and working to address these issues," A Zoom representative told AppleInsider in an email. "We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.