
Zoom Blow as Thousands of User Videos Are Found Online - LinuxBender
https://www.infosecurity-magazine.com/news/zoom-blow-thousands-user-videos/
======
LinuxBender
Submitting this so folks can discuss the actual root causes of the problem,
because this may not be a zoom issue at all. Discussing with coworkers, we can
see that the paid version allows saving to the cloud and users don't select
the location, but the users of the free version may also be uploading directly
to Youtube and S3.

This article does not really make it clear to us that this is an issue of Zoom
uploading to unauthenticated S3 buckets (though the app does give you the
option to remove authentication in the paid version). I would like the author
to clarify as to whether or not they confirmed that the videos uploaded by the
paid version can also be found in web searches, or if anyone here has also
verified this. As for the naming, a coworker pointed out you can simply search
for "GMT20200325" on Google / Youtube. Naming conventions get into the topic
of obfuscation, but it is not clear if the app is uploading these files to
searchable locations or users are doing this in reference to the article.

If this is just people uploading files manually to a public location, then it
is on them, not Zoom. Youtube is obviously end users and they should surely
know that is public. I can't imagine that many end users uploading to S3 or
even knowing what S3 is without setting proper permissions.

