Zoom's 'Company Directory' feature pooled thousands of personal email addresses, exposing user data
What you need to know
- Zoom has a 'Company Directory' feature which pools users of the same domain name, making it easier to find colleagues if you work in the same company.
- However, countless users are saying that their personal email addresses have been pooled with thousands of random people.
- Personal data including full names, mail addresses, profile picture and statuses were all shared with strangers.
The dumpster fire that is Zoom's security and privacy practices continues to rage after it emerged that Zoom's 'Company Directory' feature pooled thousands of strangers together, exposing personal data.
According to a report from Motherboard
The report cites users who created Zoom accounts and were met with the information of some 995 other people they had never met or heard of, including their names, images and mail addresses.
The above screenshot provided to the initial report shows an instance of the 'Company Directory' feature, and how it pooled together hundreds of random users. The report notes that on Zoom's website, it explains the directory feature as follows:
However, as Vice has noted, Zoom seems to have forgotten about a few personal domains, notably several Dutch ISPs and their domains, xs4all.nl, dds.nl, and quicknet.nl. On Twitter, the found other instances of Dutch users reporting the issue.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE— Jeroen J.V Lebon #UEMFirst :wq (@JJVLebon) March 23, 2020March 23, 2020
The revelation is another extremely unnerving blunder in Zoom's privacy and security practices, that have been exposed recently since the app's surge in popularity, driven by global social distancing measures.
In the last week alone it has emerged that Zoom's calls are not end-to-end encrypted despite several claims that they are, that Zoom was previously sending user data to Facebook even if they didn't have Facebook accounts, a flaw it has rectified and that Zoom uses a "very shady" pre-installation protocol for macOS, the same kind used by macOS malware to bypass macOS security.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
It's important to note that as mentioned, this does not affect users with common email addresses such as Gmail, Yahoo or Hotmail accounts, however, Zoom appears to have missed enough personal email domains such that thousands of users have had their personal data shared with strangers.
Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design. Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9