Thousands of Zoom cloud recordings have been exposed on the web because of the way Zoom names its recordings, according to a report by The Washington Post. The recordings are apparently named in “an identical way” and many have been posted onto unprotected Amazon Web Services (AWS) buckets, making it possible to find them through an online search.
Zoom tells The Verge that its servers or servers it controls have not been exposed — the exposed videos are likely ones that people recorded locally and uploaded to other services, according to the company.
One search engine that can look through cloud storage space turned up more than 15,000 Zoom recordings, according to The Washington Post. “Thousands” of clips have apparently also been uploaded to YouTube and Vimeo. The Washington Post said it was able to view recordings of therapy sessions, orientations, business meetings, elementary school classes, and more.
‘The Washington Post’ was able to view recordings of therapy sessions, orientations, business meetings, elementary school classes, and more
Zoom has been notified of the issue, reports The Washington Post, but it’s unclear if the company will be changing how it names videos.
“Zoom notifies participants when a host chooses to record a meeting, and provides a safe and secure way for hosts to store recordings,” Zoom said in a statement to The Verge. “Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud. Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations.”
Zoom has come under intense scrutiny over its security and privacy practices because of the massive surge in users while people are forced to stay home due to the novel coronavirus, and a number of issues have come to light. Just yesterday, Zoom fixed its “malware-like” macOS installer, patched a Windows vulnerability, and LinkedIn suspended a Zoom integration that exposed users’ LinkedIn profiles. But the company also committed to a 90-day feature freeze to focus on fixing privacy and security issues.
Correction: We have removed language implying that Zoom has control over the hosting of the AWS buckets.
Update April 5th, 3:06PM ET: Added further context from Zoom.