Zoom is now leaking data from user’s LinkedIn profiles

Okay people, time to call it, now is the time to look for an alternative to Zoom. Earlier today, we reported that Zoom would be freezing new features for 90-days while it works on its security issues. Almost everyday now we are reporting on Zoom and its lax security.

Zoom has seen a wide variety of privacy and security issues that we have reported on Zoom leaking data to Facebook through the Facebook login button and its API. We also recently reported about Zoom’s other privacy transgressions. Just yesterday we reported on how a malicious Zoom user could steal a Windows user’s login credentials. Earlier today in a blog post, Zoom CEO Eric S. Yuan laid our what measures Zoom would be taking to mitigate the crisis they are currently having. All of this is amid Zoom reaching a whopping 200 million daily active users.

“In March this year, we reached more than 200 million daily meeting participants, both free and paid”

Eric S. Yuan CEO of Zoom

This afternoon, The New York Times has discovered a potential data mining bug in Zoom. The vulnerability his affecting those who have subscribed to a LinkedIn service for sales prospecting, which is called LinkedIn Sales Navigator. If you subscribe and enable the service, they could very quickly access the data of everyone on the call without anyone being aware of it. The data is locations, employers and job titles.

In tests conducted last week, The Times found that even when a reporter signed in to a Zoom meeting under pseudonyms — “Anonymous” and “I am not here” — the data-mining tool was able to instantly match him to his LinkedIn profile. In doing so, Zoom disclosed the reporter’s real name to another user, overriding his efforts to keep it private.

Reporters also found that Zoom automatically sent participants’ personal information to its data-mining tool even when no one in a meeting had activated it. This week, for instance, as high school students in Colorado signed in to a mandatory video meeting for a class, Zoom readied the full names and email addresses of at least six students — and their teacher — for possible use by its LinkedIn profile-matching tool, according to a Times analysis of the data traffic that Zoom sent to a student’s account.

The New York Times

The LinkedIn has since been disabled “due to administrative issues” and they will notify users when the app is re-enabled, LinkedIn said in a message to the subscribers of the service.

It’s a combination of sloppy engineering and prioritizing growth. It’s very clear that they have not prioritized privacy and security in the way they should have, which is obviously more than a little concerning.

– Jonathan Mayer, Assistant professor (Computer Science), Princeton University

Yuan explains “Our platform was built primarily for enterprise customers,” which is remarkable considering they had vulnerability with network path links that can steal a users username and password.

“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively.”

What can you do to protect yourself?

With the constant barrage of security vulnerabilities be discovered almost daily, we think now is the time to try alternatives, then maybe see if Zoom has plugged its security holes after 90 days.

Stay tuned to Platform De.Central for news regarding Zoom alternatives.

By Platform De.Central | Source: The New York Times, Motherboard