Zoom Stops Transferring Data by Default to FacebookPrivacy Gaffe Blamed on Facebook's iOS Software Development Kit
Privacy alert: Popular audio and video conferencing software developer Zoom was sharing a subset of iOS users' data - including IP address and device model - by default with Facebook. But Zoom on Friday apologized for having done so, blaming the data transfer on a Facebook software development kit for iOS that it says it's now excised from the Zoom iOS app.
With the COVID-19 pandemic driving unprecedented levels of remote working, users are relying on video and audio conferencing software more than ever. But from a security and privacy standpoint, should they trust such software?
That's a question being asked by more security and privacy researchers, who in recent weeks have begun taking a closer look at remote-working tools, as more workers are being driven to self-quarantine or follow government's "stay at home" guidance (see: 9 Cybersecurity Takeaways as COVID-19 Outbreak Grows).
On Friday, in response to privacy concerns, Zoom announced that it had released an update for its iOS app that removed Facebook's SDK, which allowed users to log into Zoom using their Facebook credentials. Zoom says it has “reconfigured” its app to allow people to still use their Facebook credentials for Zoom, but via a browser.
Zoom's move followed Motherboard reporting that Facebook’s SDK had been sending a variety of data to the social network when users opened the Zoom app on iOS, even if they did not use their Facebook login. Motherboard said its finding had been verified by Will Strafach (@Chronic), an iOS researcher who also created the privacy-focused iOS app Guardian.
absolutely wild how companies are comfortable admitting that they have no clue what kinds of code they are including in their apps, and have to be “made aware” of what their own apps are doing. https://t.co/Lkph6Pdnaf— Will Strafach (@chronic) March 28, 2020
Zoom on Friday confirmed that Facebook’s SDK was collecting such data such a user's IP address, device carrier, device model and time zone, among other information.
“We sincerely apologize for the concern this has caused, and remain firmly committed to the protection of our users’ privacy,” Zoom says in a statement. “We are reviewing our process and protocols for implementing these features in the future to ensure this does not happen again.”
But Strafach says it's "absolutely wild" that a company such as Zoom would add Facebook's SDK to its code without first identifying everything the SDK might be doing, not least with user data.
'Social' Logins Share Data
Facebook’s SDK for iOS includes a variety of features, such as analytics tools, functionality for easily sharing information between an app and Facebook, and ways to plug into Facebook’s advertising network. The SDK also facilitates Facebook's “social” login, which is a single-sign-on feature that allows someone to use their Facebook access credentials to authenticate to third-party services.
Such convenience features, however, often come with a privacy trade-off. Using a social login - for example, for Google or Facebook - typically means those services gain access to some kinds of data that they would not otherwise see. As a result, the services can add the data to the vast repositories they already maintain, to use it to deliver more targeted advertising.
Social single-sign-on implementations can also pose security risks. For example, if an attacker gains access to a user's Facebook account credentials, they could potentially use them to authenticate, as that user, to a broad range of services, such as Zoom (see: Experts' View: Avoid Social Networks' Single Sign-On).
Previous Zoom Fixes
Audio and video conferencing applications are not devoid of flaws, some of which may be exploitable by attackers. Earlier this year, for example, Zoom corrected a flaw in its software that could have allowed uninvited individuals to join and eavesdrop on meetings. The problem arose because attackers in some cases could simply guess legitimate meeting IDs, according to security firm Check Point, which discovered the problem.
The potential exposure was easy to block - provided a call organizer required all participants to use a password to join any meeting, which at the time was an optional feature. As part of its remediation, Zoom made it mandatory for meeting organizers to require attendees to enter a password (see: Zoom Fixes Flaw That Could Allow Strangers Into Meetings).
Last year, Zoom also fixed a serious problem identified by security researcher Jonathan Leitschuh, who discovered a vulnerability that an attacker could use to force the launch of Zoom's software on a system, sometimes with the device’s video camera active.
In his research, Leitschuh found that Zoom also left a remote web service installed on Mac computers even if the application itself was uninstalled, which could potentially be used by attackers to remotely execute code. Due to the risk posed by the left-behind server, Apple issued a rare OS update that excised the unwanted Zoom software from every user's system (see: Apple Issues Silent Update to Remove Old Zoom Software).
(Executive Editor Mathew Schwartz contributed to this story.)