A security vulnerability in videoconferencing software Zoom made it possible for users who were not yet admitted to a meeting to watch anyway. Zoom offers a “waiting room”, where all persons who want to participate in a meeting can be accommodated. The host of the meeting can then give people in the waiting room access to the meeting. This should prevent direct access to the meeting.
It turned out that the Zoom servers automatically sent a live video stream of the meeting, as well as the decryption key of the meeting, to all users in the waiting room. They would be able to watch the meeting, even if the host had not given permission for this. Zoom recommends the use of the waiting room to prevent abuse such as Zoom-bombing. The audio stream of the meeting was not sent to people in the waiting room.
Researchers from Citizen Lab, a laboratory that is part of the University of Toronto, discovered the vulnerability and reported it to Zoom at the beginning of April. On April 7, Zoom performed a security update on its own servers, which solved the vulnerability. As a result, Citizen Lab has now made the details of the security breach public.
Earlier, Citizen Lab published an extensive report about all kinds of problems with Zoom, including the encryption used and the fact that encryption keys of non-Chinese users were sent to Chinese servers. In addition, it appears that Zoom, an American company, owns three Chinese companies of around 700 employees, who are paid to develop the Zoom software. In the meantime, Zoom has stopped using Chinese servers for non-Chinese users. In addition, the company says it will implement end-to-end encryption, but this may still take months.
