Thousands of Zoom video calls left exposed on open Web
Thousands of Zoom video calls left exposed on open Web
Drew Harwell April 3, 2020
Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes.
Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing.
Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary-school classes, in which children’s faces, voices and personal details were exposed.
Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes. Other videos include nudity, such as one in which an aesthetician teaches students how to give a Brazilian wax.
Many of the videos appear to have been recorded through Zoom’s software and saved onto separate online storage space without a password. But because Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos that anyone can download and watch. The Washington Post is not revealing the naming convention that Zoom uses, and Zoom was alerted to the issue before this story was published.
Zoom videos are not recorded by default, but call hosts can choose to record them and save to Zoom servers or their own computers without participants’ consent, though participants do receive a notification when a host starts to record.
The discovery that the videos are available on the open Web adds to https://www.washingtonpost.com/technology/2020/04/02/everybody-seems-be-using-zoom-its-security-flaws-could-leave-people-risk/that have come to public attention as the service became the preferred alternative for American work, school and social life.
The company reached more than 200 million daily users last month, up from 10 million in December, as people turned on their cameras for Zoom weddings, funerals and happy hours at a time when face-to-face gatherings are discouraged or banned.
Zoom said in a statement that it “provides a safe and secure way for hosts to store recordings” and provides guides for how users can enhance their call security. “Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations,” the statement said.
Five people identified in the videos The Post viewed said they had no idea how the footage made its way online.
“That definitely shouldn’t be happening,” said Jack Crann, the owner of the Connecticut dog-training company Peace of Mind Canine, after a Post reporter alerted him to a video that included private financial details. “That was a meeting for us, and shouldn’t be put out for the public.”
Patrick Jackson, the technology chief of the privacy-software company Disconnect and a former researcher for the National Security Agency, who alerted The Post to the exposed data, said Zoom could do a better job at cautioning people to protect their videos. Zoom could also help by implementing design tweaks, such as naming videos in an unpredictable way to make them harder to find.
Jackson found the videos by using a free online search engine that scans through open cloud storage space online. One search for recordings, using Zoom’s default naming convention, revealed more than 15,000 results.
“This was stuff I didn’t feel good watching, and I doubt all of the people here know these videos are public,” he said.
Many of the videos can be found on unprotected chunks of Amazon storage space, known as buckets, which are widely used across the Web. Amazon buckets are locked down by default, but many users make the storage space publicly accessible either inadvertently or to share files with other people. (Amazon CEO Jeff Bezos owns The Post.)
Thousands of other Zoom clips, all of them named in the same way, have been uploaded onto the video sites YouTube and Vimeo. In one clip posted Wednesday, a class of second-grade students can be seen learning about money while logged in from home.
The problem is not exclusive to Zoom video or Amazon storage. But in designing their service, Zoom’s engineers bypassed some common security features of other video-chat programs, such as requiring people to use a unique file name before saving their own clips. That style of operating simplicity has powered Zoom to become the most popular video-chat application in the United States, but it has also frustrated some security researchers who believe such shortcuts can leave users more vulnerable to hacks or abuse.
The service has also attracted the scrutiny of members of Congress, who have questioned its privacy and security measures at a time when Americans are signing on en masse. A group of 19 House Democrats https://mcnerney.house.gov/sites/mcnerney.house.gov/files/Letter%20to%20Zoom_04.03.2020.pdf seeking details on Zoom’s data-collection and recording rules, writing, “Our new dependency on such solutions raises important questions about the privacy practices of the companies many of us are interacting with for the first time.”
Zoom chief executive Eric Yuan acknowledged in a https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ Wednesday night that his company’s service is being used far more extensively than he had contemplated when he founded the company in 2011. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” he wrote. The system’s new user base, he said, was using Zoom in a number of “unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
Yuan also apologized for Zoom falling short of users’ “privacy and security expectations” and said the company would be freezing new features for 90 days and redirecting its engineers to tackling security flaws.
As millions more people try Zoom, researchers have pointed to software and privacy concerns they worry could leave people’s computers at risk. Teams have highlighted security flaws that could allow strangers to steal log-in information, view messages and take control of users’ cameras and microphones.
The service has also been abused by “zoombombing” trolls, who have invaded unlocked Zoom meetings to share pornography and spew racist slurs. Zoom officials said this week they were working overtime to patch security flaws and identify abusers to “ensure this doesn’t happen again.”
The publicly exposed videos could be a surprise for people who expected their sensitive discussions would be kept private. But they could also put people at real personal risk.
Ruth Schwartz, the director of Conscious Girlfriend, a relationship-support group for lesbian and queer women, said she was alarmed to learn that videos of her group sessions could be viewed online, including one in which women talked about how they recovered from toxic relationships.
Schwartz said she went back to protect the Zoom videos and said she was worried about groups like hers, in which some women have not publicly shared their sexual orientation.
“It’s a really important wake-up call,” she said. “Social connection is one of the biggest predictors of mental and physical health … It’s so important for all of us who do this kind of sensitive work to take the precautions to protect our communities.”
Geoffrey Fowler contributed to this report.