Zoom: Every security issue uncovered in the video chat app

With the novel coronavirus causing a surge in work-from-home activity, Zoom has quickly become the video meeting app of choice: Daily meeting participants on the platform surged from 10 million in December to 200 million in March. And with that popularity comes its privacy risks extending to a greater number of people. From built-in attention-tracking features to recent upticks in "Zoombombing" (where uninvited attendees break into and disrupt meetings), Zoom's security practices have been drawing more attention -- along with three lawsuits against the company.

Here's everything we know about the Zoom saga, and when it happened. If you aren't familiar with Zoom's security issues, you can start from the bottom and work your way up to the most recent information. We'll continue updating this story as more issues and fixes come to light.

Read more: Using Zoom for work? Here are the privacy risks to watch out for

April 6

Some school districts ban Zoom

School districts began banning teachers from using Zoom to teach remotely in the midst of the coronavirus outbreak, citing security and privacy issues surrounding the videoconferencing app. New York's Department of Education urged schools to switch to Microsoft Teams "as soon as possible," Chalkbeat reported.

Zoom accounts found on the dark web

Cybersecurity firm Sixgill revealed that it discovered an actor in a popular dark web forum had posted a link to a collection of 352 compromised Zoom accounts. Sixgill told Yahoo Finance that these links included email addresses, passwords, meeting IDs, host keys and names, and the type of Zoom account. Most were personal, but not all.

"One belonged to a major US health care provider, seven more to various educational institutions, and one to a small business," Sixgill told Yahoo Finance.

Read more: Zoombombing: What it is and how you can prevent it

Zoom seeks to grow its lobbying presence in Washington

Zoom's response to security concerns pivoted to Washington, DC. The company told Politico it was looking to grow its lobbying presence in Washington, and had hired Bruce Mehlman, a former assistant secretary of commerce for technology policy under President George W. Bush.

Urging an FTC investigation

In an open letter, the Electronic Privacy Information Center urged the Federal Trade Commission to investigate Zoom and issue privacy guidelines for videoconferencing platforms.

Sen. Richard Blumenthal, a Connecticut Democrat more recently known for spearheadingĀ  legislation that critics say could cripple modern encryption standards, called on the FTC to investigate Zoom over what he described as "a pattern of security failures and privacy infringements."

Third class action lawsuit filed

A third class action lawsuit was filed against Zoom in California, citing the three most significant security issues raised by researchers: Facebook data-sharing, the company's admittedly incomplete end-to-end encryption, and the vulnerability which allows malicious actors to access users' webcams.

Read more: 10 free Zoom alternative apps for video chats

April 5

Calls mistakenly routed through Chinese whitelisted servers

In a statement, Zoom admitted that some video calls were "mistakenly" routed through two Chinese whitelisted servers when they should not have been. Certain meetings were "allowed to connect to systems in China, where they should not have been able to connect," it said.

April 4

Another Zoom apology

"I really messed up as CEO, and we need to win their trust back. This kind of thing shouldn't have happened," Zoom CEO Eric Yuan told the Wall Street Journal in a lengthy interview.

Surveying the damage to the company's reputation, Yuan described how Zoom pushed for expansion in an effort to accommodate workforce changes during the early stages of the COVID-19 outbreak in China.

April 3

Zoom video call records left viewable on the web

An investigation by the Washington Post found thousands of recordings of Zoom video calls were left unprotected and viewable on the open web. A large number of the unprotected calls included discussion of personally identifiable information, such as private therapy sessions, telehealth training calls, small-business meetings that discussed private company financial statements, and elementary school classes with student information exposed, the newspaper found.

Attackers planning 'Zoomraids'

Reporting from both CNET and the New York Times revealed social media platforms, including Twitter and Instagram, were being used by anonymous attackers as spaces to organize "Zoomraids" -- the term for coordinated mass Zoombombings where intruders harass and abuse private meeting attendees. Abuse reported during Zoomraids has included the use of racist, anti-Semitic and pornographic imagery, as well as verbal harassment.

Zoom apologizes, again

Zoom conceded that its custom encryption is substandard after a Citizen Lab report found the company had been rolling its own encryption scheme, using a less secure AES-128 key instead of the AES-256 encryption it previously claimed to be using. In a direct response, Yuan said publicly, "We recognize that we can do better with our encryption design."

Second class action lawsuit filed

Tycko and Zavareei LLP filed a class action lawsuit against Zoom -- the second suit against the company -- for sharing users' personal information with Facebook.

Congress requests information

Democratic Rep. Jerry McNerney of California and 18 of his Democratic colleagues from the House Committee on Energy and Commerce sent a letter to Yuan raising concerns and questions regarding the company's privacy practices. The letter requested a response from Zoom by April 10.

April 2

Automated tool can find Zoom meetings

Security researchers revealed an automated tool was able to find around 100 Zoom meeting IDs in an hour, gathering information for nearly 2,400 Zoom meetings in a single day of scans, as reported by security expert Brian Krebs.

The discoverable meetings were those left unprotected by passwords, but the tool was able to successfully generate meeting IDs up to 14% of the time, according to reporting from The Verge.

More plans for Zoombombing

Motherboard, meanwhile, discovered that 8chan forum users had planned to hijack the Zoom calls of a Jewish school in Philadelphia in an anti-Semitic Zoombombing campaign.

Data-mining feature discovered

The New York Times reported that a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users.

April 1

SpaceX bans Zoom

Elon Musk's SpaceX rocket company prohibited employees from using Zoom, citing "significant privacy and security concerns," as reported by Reuters.

More security flaws discovered

Reporting from MotherboardĀ again revealed another damaging security flaw in Zoom, finding the application was leaking users' email addresses and photos to strangers via a feature loosely designed to operate as a company directory.

Apologies from Yuan

Yuan issued a public apology in a blog post, and vowed to improve security. That included enabling waiting rooms and password protection for all calls. Yuan also said the company would freeze features updates to address security issues in the next 90 days.

March 30

The Intercept investigation: Zoom doesn't use end-to-end encryption as promised

An investigation by The Intercept found that Zoom call data was being sent back to the company without the end-to-end encryption promised in its marketing materials.

"Currently, it is not possible to enable E2E encryption for Zoom video meetings," a Zoom spokesperson told The Intercept.

More bugs discovered

After the discovery of a Windows-related Zoom bug that opened people up to password theft, two more bugs were discovered by a former NSA hacker, one of which could allow malicious actors to assume control of a Zoom user's microphone or webcam. Another of the vulnerabilities allowed Zoom to gain root access on MacOS desktops, a risky level of access at best.

First class action lawsuit filed

A class-action lawsuit was filed against the company, alleging that Zoom violated California's new data protection law by not obtaining proper consent from users about the transfer of their Zoom data to Facebook.

Letter from New York Attorney General sent

The office of New York Attorney General Letitia James sent Zoom a letter outlining privacy vulnerability concerns, and asking what steps, if any, the company had put in place to keep its users safe, given the increased traffic on its network.

Classroom Zoombombings reported

Reporting cases of classroom Zoombombings, including an incident where hackers broke into a class meetingĀ  and displayed a swastika on students' screens, led the FBI to issue a public warning about Zoom's security vulnerabilities. The organization advised educators to protect video calls with passwords and to lock down meeting security with currently available privacy features in the software.

March 27

Zoom removes Facebook data collection feature

Responding to concerns raised by the Motherboard investigation, Zoom removed the Facebook data collection feature from its iOS app and apologized in a statement.

"The data collected by the Facebook SDK did not include any personal user information, but rather included data about users' devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space," Zoom told Motherboard.

March 26

Motherboard investigation: Zoom iOS app sending user data to Facebook

An investigation by Motherboard revealed that Zoom's iOS app was sending user analytics data to Facebook, even for Zoom users who did not have a Facebook account, via the app's interaction with Facebook's Graph API.