24 votes

Thousands of Zoom cloud recordings have been exposed on the web because of the way Zoom names its recordings in unprotected AWS buckets

9 comments

  1. [6]
    Deimos
    Link
    As Axios put it yesterday, Zoom's moment of glory has been heavily tarnished by this point. However, I think this might be the worst revelation yet, and one that's far more understandable to...

    As Axios put it yesterday, Zoom's moment of glory has been heavily tarnished by this point. However, I think this might be the worst revelation yet, and one that's far more understandable to everyone.

    A lot of the other complaints have been quite technical and too far on the "inside baseball" end. Technical people have been getting upset about things like them using the term "end-to-end encryption" falsely, but the large majority of people really don't understand or care about the distinction. This other report I posted today is similar—it's definitely bad, but not in a way that's going to get non-technical small-business owners or similar people concerned.

    "Your recorded calls were just up on the internet for anyone to find, watch and download" is a different level, and one that might actually cause a significant backlash.

    19 votes
    1. [5]
      DougM
      Link Parent
      I think you touch on a key point. I'm currently a junior at a University in Colorado and all of our classes have switched to an online platform - with most professors opting to use Zoom to...

      I think you touch on a key point. I'm currently a junior at a University in Colorado and all of our classes have switched to an online platform - with most professors opting to use Zoom to continue their instruction. Most students and professors just don't grasp the situation nor do they have a desire to. It's simply a convenient way for everyone to continue the semester.

      3 votes
      1. [4]
        Atvelonis
        Link Parent
        I think that people on places like Tildes and Reddit massively underestimate just how apathetic most people are about these things. A significant amount of Zoom's increased traffic is just...

        I think that people on places like Tildes and Reddit massively underestimate just how apathetic most people are about these things. A significant amount of Zoom's increased traffic is just students; not only do they not care very much about their privacy ("It doesn't even matter; nobody wants to watch me sit in class"), but there is absolutely no way that institutions whose faculty have just barely gotten the hang of the platform are going to switch to something else for privacy reasons. It just isn't worth it.

        6 votes
        1. [2]
          stu2b50
          Link Parent
          I mean tbf it's kinda true, there's no real reason for students to worry about their privacy in online classes when there was no expectation of that to begin with, nor any sensitive information....

          "It doesn't even matter; nobody wants to watch me sit in class"

          I mean tbf it's kinda true, there's no real reason for students to worry about their privacy in online classes when there was no expectation of that to begin with, nor any sensitive information. In fact, many of them are recorded and provided anyway.

          A bigger deal for businesses and government.

          2 votes
          1. DougM
            Link Parent
            Initially I agree with you but then I'm reminded that Zoom is also being used by elementary schools - which makes me uneasy. I find it difficult to believe that these vulnerabilities can't be used...

            Initially I agree with you but then I'm reminded that Zoom is also being used by elementary schools - which makes me uneasy. I find it difficult to believe that these vulnerabilities can't be used to exploit the privacy of children.

            With that said, where do you draw a line of concern? At my university, a middle of the road state university, students use Zoom for one-on-one office hours where sensitive information can be discussed. A family member is using it for therapy sessions through their University as well.

            Personally, that doesn't sit well.

            2 votes
        2. teaearlgraycold
          Link Parent
          I'm a software developer and have been using Zoom daily since the pandemic forced me to work remotely. I also don't really care since I only have the software on my work computer and don't foresee...

          I'm a software developer and have been using Zoom daily since the pandemic forced me to work remotely. I also don't really care since I only have the software on my work computer and don't foresee any of these security issues impacting my employment.

  2. [3]
    Pistos
    Link
    Now hang on. If I read this right, the issue is not that Zoom (the company or software) put video files in publicly-accessible places, but the users of Zoom put (or had them put -- wittingly or...

    Now hang on. If I read this right, the issue is not that Zoom (the company or software) put video files in publicly-accessible places, but the users of Zoom put (or had them put -- wittingly or not) video files in publicly-accessible places. Is that right?

    1 vote
    1. [2]
      Diff
      Link Parent
      Not quite sure I'm following you. Zoom has a record feature. If you use it, your videos are available to anyone with a link. Fairly normal. Problem is, if I'm understanding it correctly, you can...

      Not quite sure I'm following you. Zoom has a record feature. If you use it, your videos are available to anyone with a link. Fairly normal. Problem is, if I'm understanding it correctly, you can just skip the link. All the files are named predictably. For example 1.mp4, 2.mp4, 3.mp4. So if you know where to look you can just take a stroll through every Zoom meeting that's been recorded.

      2 votes
      1. PendingKetchup
        (edited )
        Link Parent
        My reading of the article is that the Washington Post is complaining that when you save a Zoom recording it saves it as e.g. ZoomRecording001.mp4 on your hard drive, so that if you just drop the...

        My reading of the article is that the Washington Post is complaining that when you save a Zoom recording it saves it as e.g. ZoomRecording001.mp4 on your hard drive, so that if you just drop the file onto a completely public and unprotected Web server or AWS bucket, then people can Google for "ZoomRecording001.mp4" and find it:

        Many of the videos appear to have been recorded through Zoom’s software and saved onto separate online storage space without a password. It does not affect videos that remain with Zoom’s own system.

        They're not complaining that Zoom is dumping the recordings in an AWS bucket where people can get them. As far as I can tell that's not happening. It seems like the article's argument is "well Zoom should have known that people would accidentally publicly post stuff they didn't want to be public, and Zoom should have randomized everyone's filenames to protect them from themselves".

        Which... maybe? You can have some pretty strong duty-of-care type obligations when making software that you know is going to be used by total noobs who are also in grave danger. But it's hardly the sort of gaping privacy flaw you want to headline a news article with, seeing as it also affects every cell phone, every digital camera, and the Windows right click -> new menu.

        4 votes