There is a problem with quality at Zoom. My day to day job involves dealing with servers and valuable data, I already made it clear that I can’t use the zoom app for safety concerns. That being said, I don’t believe zoom has malicious goals, they are just not very security minded (or knowledgeable). I believe they like to take shortcuts that put your machine, data and privacy at risk
> That being said, I don’t believe zoom has malicious goals
How many "mistakes" do they have to make before you reconsider? They lied to their users for years that their software was end to end encrypted. They sent user's data along with their keys through servers in China. They rolled out their own encryption system, lied about what algorithms they were using, and the encryption they were actually using had well known weaknesses. If they aren't outright malicious they've somehow managed to maintain a level of incompetence that's just as harmful.
Can you use browser? I’ve used zoom once, I just launched it in browser and that’s about it. Browser is a godsend when it comes to sketchy apps that I’m forced to use.
I'm using the browser when my zoom is the only option, otherwise I try to use alternative web solution. Zoom on the web-browser is fine but I always recommend using an alternative where user safety and transparency is a priority.
> they are just not very security minded (or knowledgeable)
I argue that they are definitely knowledgeable and capable of security. The nuance is they care about their own security, not the users'.
Case in point: Their MacOS installer abuses the pre-installation step to fake a System prompt to obtain root, very much like malware. Before you actually click install, it's already done [1].
In this case it was merely a shortcut to reduce the number of clicks to install, but it clearly betrays their disregard for user control & security.
A solution is only as safe as the most reckless and less knowledgeable person with root access they employ. I'm convinced they have lots of knowledgeable people, but they proved over and again that they also have many bad apples cutting corners and putting everyone at risk.
I think this might have been true in the past, but I don't think it is true any longer. Zoom grew at a wild pace during the early days of the pandemic, and with that came security issues. However, they recognised that and invested into security.
I have previously reported bugs to Google, including one where they simply didn't put any auth on an API endpoint for a new feature, allowing access to any account's data. That is a massive oversight, but at Google scale we realise these things happen, and the more important consideration is how companies respond.
Zoom have a private bug bounty program, but I previously disclosed Zoom bugs publicly [1] as I didn't think their bug bounty program was worthwhile engaging with.
However, they overhauled it, and now of the dozens of private programs I am part of, Zoom's is one of the absolute best. The payouts are great, the team actively engages with the researchers, and seem to legitimately care about getting things right.
Are they perfect? Of course not. But I would feel safer on a Zoom call that call with many competitors who simply don't get as much scrutiny.
