A prominent privacy rights group has filed a complaint with the Federal Trade Commission against Zoom, asking the commission to open an investigation into the company’s practices after a security researcher discovered several vulnerabilities in the Zoom video conferencing client for Macs last week.
The complaint filed by the Electronic Privacy Information Center (EPIC) alleges that “Zoom intentionally designed their web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the consent of the user”. EPIC also alleges that Zoom officials didn’t respond to the researcher’s reports quickly enough, putting users at “risk of remote surveillance, unwanted videocalls, and denial-of-service attacks”.
EPIC’s complaint, filed July 11, comes after security researcher Jonathan Leitschuh disclosed three vulnerabilities he found in the macOS Zoom client earlier this year. The most serious of the vulnerabilities allowed an attacker to force a victim to join a video call with her camera turned on. Another bug could be used to send a victim’s Zoom client into an infinite loop of trying to join Zoom calls. The bugs are all connected to the presence of a local web server that the Zoom macOS client installs. The web server stays behind even after the client is removed and will respond to requests.
Leitschuh informed the company about the weaknesses in March and went through several months of emails and calls with the company’s security team about the severity of the problems and potential fixes before ultimately disclosing the flaws on July 8. Zoom officials initially defended the presence of the web server as a workaround for a setting in Safari, but then issued a patch that removed the server once a user uninstalled the Zoom client. Apple took actions of its own, as well, pushing a silent patch to Macs that removed the web server before the Zoom patch was ready. Security researchers criticized Zoom’s slow response to Leitschuh’s report and Zoom CEO Eric Yuan said on July 10 that “we misjudged the situation and did not respond quickly enough.”
In its complaint to the FTC, EPIC said that the installation of the local web server and Zoom’s slow response put its customers at risk without their knowledge and without the ability to defend themselves.
“Zoom’s actions—including its decision to install a hidden web server on users’ Macs and require consumers to manually change their default camera settings—placed users at risk of severe violations of their privacy. Zoom customers risked consequences including: remote surveillance through hackers viewing a video stream from users’ computers without their knowledge, an attacker implementing a Denial of Service (DOS) attack through sending repeated HTTP GET requests, or users being launched into a video call with an advertiser without his or her consent. These privacy intrusions can have severe results, from illicit photographs or video being taken for sale to distribution of information for the purposes of physical harm,” the complaint says.
The group asked the FTC to investigate Zoom’s actions in this case and also to look into the vulnerabilities that Leitschuh discovered. EPIC also asked the commission to force Zoom to notify all past and present users about the flaws and the available patches, remove the local web server from every customer’s machine, and change the default video setting for calls to off. On July 14, Zoom issued an update that makes a change to the default video setting, but doesn’t turn it off completely.
“Zoom has implemented a video preview feature that pops up before any participant joins a meeting where their video will be on. The participant is able to opt to join with video, opt to join without video, or dismiss the prompt to not join the meeting at all. Additionally, the participant may also check a box to always see the video preview when joining a video meeting (this box will be checked by default),” the company said.
EPIC has had some notable successes with this kind of complaint in the past, including a 2009 complaint against Facebook over privacy settings. That complaint led to a 2011 consent order by the FTC against Facebook, which led to a reported $5 billion fine just last week.