New Zoom vulnerabilities: Recorded videos live on cloud even after being deleted
User found a way to access and download recorded Zoom meetings on the app's cloud through an unsecured link and 'brute force'
Fox Business Briefs: United Airlines is warning employees to brace for job cuts one day after agreeing to a $5 billion government bailout; more than half a million Zoom accounts hacked with users' personal information now being sold on the dark web.
Newly discovered Zoom vulnerabilities allow recorded videos to live on the app's cloud hours after deletion, CBS Interactive security architect Phil Guimond discovered on Saturday.
Zoom's cloud feature allows users to save recorded videos on the platform so they can be viewed, shared and downloaded later. The tool is especially useful for businesses that want to keep track of a conversation.
Guimond found a way to not only access but download recorded Zoom meetings on the app's cloud through an unsecured link and "brute force," or the act of trying as many password combinations as possible until one works, CBS-owned tech news website CNET reported Thursday.
In this photo taken of a computer screen Wednesday, April 15, 2020, shows the Michigan Supreme Court who broke new ground by hearing two cases via Zoom video conferencing. (AP Photo/Ed White)
Additionally, Guimond discovered that these recorded videos can live on the cloud for hours after being deleted, according to CNET.
HOUSEPARTY COMPETES WITH ZOOM AS CORONAVIRUS FUELS VIDEO MEETING SURGE
"Zoom has not considered security at all when developing their software," Guimond told the outlet. "Their offerings have some of the highest amount of low-hanging-fruit vulnerabilities in the industry for a mainstream product."
A Zoom spokesperson told FOX Business in a statement that based on its own findings, the unique URL that leads users to a cloud recording view page "immediately stops working after deletion, so it cannot be accessed."
The company added, however, that "if someone has recently watched the recording around the time it is deleted, they can continue to watch for a period of time before the viewing session expires. We continue to investigate the matter."
HACKERS' NEW TARGET DURING CORONAVIRUS PANDEMIC: VIDEO CONFERENCE CALLS
The company also responded to the findings by rolling out updates on Saturday and on Tuesday after being notified about the vulnerabilities, including a tool to prevent bad actors from using brute force to access recorded cloud videos and implemented password requirements to its default cloud settings, CNET reported.
Apatient sits in the living room of her apartment in the Brooklyn borough of New York during a telemedicine video conference with Dr. Deborah Mulligan. AP Photo/Mark Lennihan)
"Upon learning of this issue, we took immediate action to prevent brute-force attempts on password-protected recording pages," the Zoom spokesperson said. "To further strengthen security, we have also implemented complex password rules for all future cloud recordings, and the password protection setting is now turned on by default," a Zoom spokesman told CNET.
ZOOM CEO: CORONAVIRUS SECURITY CONCERNS SHOWED 'I REALLY MESSED UP'
As a result of the novel coronavirus pandemic, Zoom's userbase expanded from 10 million active daily users to 200 million in just three months, but with that demand came questions of privacy and cybersecurity that highlighted the app's unpreparedness for such unprecedented growth.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
The discoveries come as the video conference app faces a multitude of concerns from users and lawmakers alike, including reports of hacking, Zoombombing, information-sharing and ties to China that came to light in late in March and early April.
CLICK HERE TO READ MORE ON FOX BUSINESS
This article contains material from a previous FOX Business post.