Your boss may not be the only one secretly replaying your Zoom meetings.
Thousands of recorded Zoom meetings are floating around the open web — available for anyone to watch. The exposed video calls include private business discussions, casual friend conversations, therapy sessions, and, yes, nudity, and many appear to have been made public by mistake.
The news, reported by the Washington Post, is yet another privacy blow in a long line of privacy blows to Zoom. At issue is the file-naming convention used by Zoom to label recorded meetings. It is unique enough that security researcher Patrick Jackson, who alerted the Post to the issue, found 15,000 examples when he ran a scan of unsecured cloud storage.
But you don’t even need to look that hard, as a quick search for the Zoom file name on YouTube, Google, and Vimeo by Mashable revealed scores and scores of recorded calls.
One such video, clearly not intended to be uploaded, included what appeared to be a therapist speaking to his patient. The two discussed the patient’s thoughts about self harm, among other incredibly sensitive topics. It was posted online Friday.
Now, it’s important to note that these meetings were uploaded — perhaps mistakenly, in some cases — by someone who initially had access to them. Zoom allows paid users the ability to save recordings to the cloud (i.e. Zoom’s servers). Those video recordings aren’t the ones exposed on the open web. Rather, recordings saved to someone’s computer, and then later uploaded, are what’s at issue today. For example, someone may accidentally upload their own private Zoom conversation to the internet, be that a therapy session or a call with a friend. Then there are the businesses that automatically upload recorded Zoom meetings to a private server, but may have misconfigured the server in such a way that it’s not actually private. Someone who accesses the server can then download those recordings (which all have the same file name) as they please.
However, just because it’s the users who screwed up doesn’t let Zoom off the hook. As is the case with frequently unsecured Amazon S3 buckets, if the design of a system leads thousands of people to make the same mistake then perhaps there’s a failure of design — or at least of communication.
Notably, Zoom lets its users know that recordings of their calls will all have the same default file name. That this could turn out to be problematic clearly didn’t occur to anyone at the company.
Like the Washington Post, we are choosing not to link to the Zoom page detailing the file format, and choosing not to specify what it is in an attempt to preserve some — albeit small — element of people’s privacy.
We reached out to Zoom for comment but received no immediate response. Hopefully, the company is busy notifying customers that their files are easily searchable on the open web.
In the meantime, if you’re concerned about your privacy, trying using a Zoom alternative — or at the very least don’t let anyone record a sensitive meeting.
UPDATE: April 3, 2020, 11:48 a.m. PDT: In an emailed statement, a Zoom spokesperson made clear that users should exercise “extreme caution” when uploading recorded Zoom meetings to the internet.
The statement, in full:
Zoom notifies participants when a host chooses to record a meeting, and provides a safe and secure way for hosts to store recordings. Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud. Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations.