24
votes
Thousands of Zoom cloud recordings have been exposed on the web because of the way Zoom names its recordings in unprotected AWS buckets
Link information
This data is scraped automatically and may be incorrect.
- Title
- Thousands of Zoom video calls left exposed on open Web
- Word count
- 1179 words
As Axios put it yesterday, Zoom's moment of glory has been heavily tarnished by this point. However, I think this might be the worst revelation yet, and one that's far more understandable to everyone.
A lot of the other complaints have been quite technical and too far on the "inside baseball" end. Technical people have been getting upset about things like them using the term "end-to-end encryption" falsely, but the large majority of people really don't understand or care about the distinction. This other report I posted today is similar—it's definitely bad, but not in a way that's going to get non-technical small-business owners or similar people concerned.
"Your recorded calls were just up on the internet for anyone to find, watch and download" is a different level, and one that might actually cause a significant backlash.
I think that people on places like Tildes and Reddit massively underestimate just how apathetic most people are about these things. A significant amount of Zoom's increased traffic is just students; not only do they not care very much about their privacy ("It doesn't even matter; nobody wants to watch me sit in class"), but there is absolutely no way that institutions whose faculty have just barely gotten the hang of the platform are going to switch to something else for privacy reasons. It just isn't worth it.
I mean tbf it's kinda true, there's no real reason for students to worry about their privacy in online classes when there was no expectation of that to begin with, nor any sensitive information. In fact, many of them are recorded and provided anyway.
A bigger deal for businesses and government.
I'm a software developer and have been using Zoom daily since the pandemic forced me to work remotely. I also don't really care since I only have the software on my work computer and don't foresee any of these security issues impacting my employment.
Now hang on. If I read this right, the issue is not that Zoom (the company or software) put video files in publicly-accessible places, but the users of Zoom put (or had them put -- wittingly or not) video files in publicly-accessible places. Is that right?
Not quite sure I'm following you. Zoom has a record feature. If you use it, your videos are available to anyone with a link. Fairly normal. Problem is, if I'm understanding it correctly, you can just skip the link. All the files are named predictably. For example 1.mp4, 2.mp4, 3.mp4. So if you know where to look you can just take a stroll through every Zoom meeting that's been recorded.
My reading of the article is that the Washington Post is complaining that when you save a Zoom recording it saves it as e.g.
ZoomRecording001.mp4
on your hard drive, so that if you just drop the file onto a completely public and unprotected Web server or AWS bucket, then people can Google for "ZoomRecording001.mp4" and find it:They're not complaining that Zoom is dumping the recordings in an AWS bucket where people can get them. As far as I can tell that's not happening. It seems like the article's argument is "well Zoom should have known that people would accidentally publicly post stuff they didn't want to be public, and Zoom should have randomized everyone's filenames to protect them from themselves".
Which... maybe? You can have some pretty strong duty-of-care type obligations when making software that you know is going to be used by total noobs who are also in grave danger. But it's hardly the sort of gaping privacy flaw you want to headline a news article with, seeing as it also affects every cell phone, every digital camera, and the Windows right click -> new menu.