Zoom: Thousands of calls found via web search, thanks to default file naming scheme after users saved them in unprotected spaces like open AWS S3 buckets

Hackers. [Shutterstock]

Everyone is using Zoom for everything from pandemic family gatherings to A.A. meetings to therapy sessions to teaching college classes, but the app has newly revealed and very concerning security vulnerabilities.

The contents of thousands of video calls made on the app Zoom were exposed on the open web, and easily available via common web search tools.

The Washington Post reports that many of the videos, which callers assumed were private, include personally identifiable information and deeply intimate conversations, recorded in people’s homes.

Drew Harwell for the Washington Post:

Many of the videos appear to have been recorded through Zoom’s software and saved onto separate online storage space without a password. But because Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos that anyone can download and watch.

Zoom videos are not recorded by default, though call hosts can choose to save them to Zoom servers or their own computers. There’s no indication that live-streamed videos or videos saved onto Zoom’s servers are publicly visible.

But many participants in Zoom calls may be surprised to find their faces, voices and personal information exposed because a call host can record a large group call without participants’ consent. (Call participants are given a notification when a host starts to record.) The Washington Post is not revealing the naming convention that Zoom uses, and Zoom was alerted to the issue before this story was published.

Read more:

Thousands of Zoom video calls left exposed on open Web

And here was another previously-revealed and purportedly-now-fixed security vulnerability with Zoom:

Zoom shares your information with Facebook, lawsuit says