Researchers have discovered thousands of private Zoom recordings exposed online, in another blow to the firm’s security credentials as it struggles to support a huge surge in users.
Former NSA researcher Patrick Jackson told The Washington Post that he was able to find the videos via a simple cloud storage search.
Many of them were apparently stored in Amazon Web Services (AWS) S3 buckets without passwords, and because the Zoom default naming convention is relatively easy to guess, they were simple to find.
One search for videos named in this way apparently revealed 15,000 separate recordings, some of them containing highly sensitive information.
These ranged from elementary school remote classes, featuring the faces of students, to private therapy sessions, business meetings including financial details and even a beauty therapist demonstrating to students how to give a Brazilian wax.
Zoom allows users to record and save meetings to its own cloud service, but it also offers customers the choice of saving videos to their preferred location, without a password.
It’s the latter type that appear to have been exposed, with experts arguing that the firm should mitigate the issue by forcing users to create a unique file name when saving videos.
In a statement, Zoom clarified that it offers users a “safe and secure” way to store their recordings.
“Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud,” it said.
“Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants' reasonable expectations.”
The news comes after a tough week for the video conferencing platform, which has seen daily meeting participants grow from 10 million in December to roughly 200 million in March.
CEO Eric Yuan listed a range of measures the firm was taking to improve privacy and security including: patches for three new zero-day bugs, the removal of the Facebook SDK in its iOS client, after privacy complaints and clarification of new default settings to help prevent “Zoombombing.”
Yuan also announced a “feature freeze” which will see all engineering resources shifted to focus on trust, safety and privacy issues.