It turns out that Zoom is operating a cookie stored in the browser when uninstalling



Online video conferencing service Zoom reads and writes browser

cookies when uninstalling Windows clients, cybersecurity firm Threat Spike reported. The written cookie is set to be valid for 10 years, and it is pointed out that it violates the ePrivacy Directive that regulates Internet privacy in the EU (PDF).

ThreatSpike Blog: Zoom still don't understand GDPR
https://www.threatspike.com/blog/zoom_cookies.html

The demand for online video conferencing services due to the spread of the new coronavirus, Zoom is a significant year-on-year in the first quarter of 2021 fiscal year revenue growth achieved. On the other hand, Zoom has various security and privacy issues, and Google and SpaceX are taking steps to prevent using Zoom internally.

``Zoom'', an online video conferencing application with a series of security & privacy related issues-GIGAZINE



ThreatSpike has detected that the Zoom client for Windows is accessing the cookie of Google Chrome at the time of uninstall, so it conducted a survey on the operation performed by the Zoom client at the time of uninstall. ThreatSpike first erases the cookies stored in Chrome on Windows and then installs the Zoom client. From Chrome, I accessed several websites including Zoom's homepage 'https://zoom.us/' and accepted each cookie.

Then, after uninstalling Zoom's client and observing its operation, it was found that the contents of the cookie saved in Chrome were read. The Zoom client read not only the cookies stored by Zoom's website, but also the cookies of other websites. ThreatSpike concludes that these Zoom client behaviors are 'search operations to find cookies stored by Zoom's website.'



In addition, it was revealed that the Zoom client did not only read the cookie but also wrote it. Among the several cookies that were written, the one named 'zm_everlogin_type' was set to expire in 10 years. From the name 'everlogin', ThreatSpike guesses that the purpose of the cookie is to determine 'whether the user has logged in to Zoom' at the same time, and at the same time for the user who uninstalls Zoom, 'Login' It is against the ePrivacy Directive, which specifies that cookies should be stored for up to 12 months, which allows us to retain information about 'presence or absence' for 10 years.

Tracking user activity on the Internet is not a problem in itself, but it is the business's responsibility to respect the ePrivacy Directive and the EU General Data Protection Regulation (GDPR) and to provide a fair experience on the Internet, Threat Spike said. I am.

Related Posts:

in Software,   Web Service,   Security, Posted by darkhorse_log