Zoom logo

Yesterday, security researcher Jonathan Leitschuh revealed a Zero Day security vulnerability in the popular video conferencing software Zoom. The basics of the seucirty vulnerability are two-fold:

One: Zoom installs a secret web server on ever Mac instance of their desktop app.

Two: A bad actor can forcibly make a user join a video conference, camera on, without the user consenting or even knowing that they are about to be joined into a conference.

I'll let you read the full details from Jonathan's post, but I want to hit on what I believe is the key reason this vulnerability exists. Convenience.

In the ever-important pursuit of user convenience, some companies lose sight of other equally (and often MORE) important issues. Issues like security. There is little doubt in my mind that the web server and the ability to easily join a meeting with video already on were convenience features built into Zoom. There are surely there because users complained about friction early on and Zoom found ways to make this friction disappear or decrease. Admittedly, Zoom had one of the best experiences of video conferencing software. However, it seems to have come at the cost of digital security and privacy.

The whole situation strikes me as very similar to Apple's FaceTime video bug. While there was never any confirmation of this, it seems very possible that said bug was actually a feature. Connecting a user to the FaceTime call before they actually answer would create an almost instant-connection experience when the user did answer. I can't say for sure this is what Apple was doing, but it's possible. Maybe even likely. And it further illustrates the point that convenience cannot supplant security.

The right solution is not always the easy solution. And the easy solution is often not an actual solution at all. In pursuit of convenience, companies need to ask themselves if they are actually building a better experience or if they are simply creating a security/privacy risk that will undo any convenience improvements the solution may have made.

Build for people. Interactions, experiences, all of it has to be designed with people in mind. But like it or not, people care about security and privacy. Enough, at least, to call you out when you fuck up. What that means to a company's bottom line varies by company. But the point is, people care. So build convenience, but build it right.