Thousands of Zoom video call recordings have been left exposed on the open web, according to a report by The Washington Post.
Among some videos that the news outlet sighted included personal therapy sessions, company business meetings involving private financial records, and online classes where schoolchildren’s details were visible to anyone viewing the recordings.
The report stated that the videos can be viewed and downloaded through a “simple online search” because Zoom video recordings are named in an identical way, making it all too easy for anyone so inclined to download and view thousands more such videos.
The report also claimed that the videos may have been recorded through Zoom’s own software and stored onto separate online storage space without passwords, and that the leak does not affect videos that remain with Zoom’s own system.
To be clear, Zoom videos are not recorded by default, but those hosting video calls can choose to record them and save to either Zoom servers or their own computers without participants’ consent. However participants apparently will receive a notification when a host starts to record, according to the report.
Privacy software company Disconnect’s technology chief Patrick Jackson, who is also a former researcher for the US National Security Agency, alerted the news outlet about the exposed Zoom video recordings, saying he believed that Zoom could “do a better job” at reminding users to protect their videos.
He also suggested that the company change the naming convention of the videos to make them “harder to find”.
Jackson shared that he found the videos though a free online search engine that scans open cloud storage space online. Using Zoom’s default naming conventions, one search for such recordings yielded more than 15,000 results.
The videos can be found on unprotected sections of Amazon storage space, also known as “buckets”, and have even been uploaded onto sites like YouTube and Vimeo. According to the Washington Post’s article, “Amazon buckets are locked down by default, but many users make the storage space publicly accessible either inadvertently or to share files with other people.”
On a recent Twitter post where he shared a link to the Washington Post article, Jackson urged other users to “only record video calls if you absolutely need to and always secure them wherever they’re hosted”.
The company has since issued a statement urging users to be careful of where they save their Zoom videos and also to be mindful of the information that is recorded in the videos.
Zoom said that it “provides a safe and secure way for hosts to store recordings” and provides guidelines on how users can enhance their call security.
“Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations,” the company said in a statement to The Washington Post.
Video conferencing app Zoom has seen a surge in popularity with users who are staying home due to Covid-19.
Chief executive officer Eric Yuan claimed that Zoom has reached “more than 200 million daily meeting participants” in March, compared to the maximum 10 million daily meetings participants reported in 2019.
However, it has also recently been plagued with security issues such as ‘Zoombombing‘, where virtual intruders hack into video meetings to spam users with pornographic images or offensive slurs.