Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 1 of 24
`
`
`
`
`Eric H. Gibbs (SBN 178658)
`Andre Mura (SBN 298541)
`Amanda M. Karl (SBN 301088)
`Jeffrey Kosbie (SBN 305424)
`GIBBS LAW GROUP LLP
`505 14th Street, Suite 1110
`Oakland, California 94612
`Telephone: (510) 350-9700
`Fax: (510) 350-9701
`ehg@classlawgroup.com
`amm@classlawgroup.com
`amk@classlawgroup.com
`jbk@classlawgroup.com
`
`Attorneys for Plaintiff and Proposed Class
`
`
`
`
`STACEY SIMINS, on behalf of herself and
`all others similarly situated,
`
`
`
`
`
`ZOOM VIDEO COMMUNICATIONS,
`INC.,
`
`
`
`
`
`
`Defendant.
`
`
`
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-cv-2893
`
`
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`
`Case No. 5:20-cv-2893
`
`CLASS ACTION COMPLAINT AND
`DEMAND FOR JURY TRIAL
`
`
`
`Plaintiff,
`
`
`
`v.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 2 of 24
`
`
`
`Plaintiff, on behalf of herself and all others similarly situated, alleges the following:
`SUMMARY OF THE CASE
`1.
`Zoom provides a video-conferencing service called Zoom Meetings. The video meetings
`ostensibly allow users to engage in video and audio conversations with only those specified people with
`whom they have chosen to communicate. Users reasonably expect these conversations to be private and
`secure, and these expectations are heightened by the very nature of Zoom Meetings, where users can
`not only be heard, but also seen.
`2.
`Zoom has long cultivated the expectation that its service is both secure and private, and
`Zoom has grown its business and revenues based on that expectation. Among other things, Zoom has
`long marketed the service as being protected with end-to-end, 256-bit encryption, and has emphasized
`that it takes concrete steps to ensure privacy and security for its users.
`3.
`But in reality, Zoom has failed to deliver private and secure video conferencing. The
`level of encryption Zoom provides is far less robust than what it promised. And a wide variety of
`security failings have jeopardized Zoom-users’ privacy. These failings have enabled bad actors to join
`meetings without permission, to access web cameras surreptitiously, and to access many thousands of
`recorded Zoom meetings stored online. All the while, Zoom has actively shared information about its
`users with Facebook, despite failing to disclose that practice in its privacy policy.
`4.
`Zoom’s conduct violates various state laws and has led to Zoom profiting unfairly at the
`expense of its customers. Plaintiff, as a paying customer, has brought suit on behalf of herself and all
`others similarly impacted, to force Zoom to deliver appropriate injunctive relief and remuneration.
`PARTIES
`5.
`Plaintiff Stacey Simins is a citizen and resident of Texas.
`6.
`Defendant Zoom Video Communications, Inc., is a Delaware corporation with its
`principal place of business in San Jose, California.
`JURISDICTION AND VENUE
`7.
`This Court has jurisdiction over this action under the Class Action Fairness Act, 28
`U.S.C. § 1332(d). There are at least 100 members in the proposed class, the aggregated claims of the
`individual class members exceed the sum or value of $5,000,000, exclusive of interest and costs, and at
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`1
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 3 of 24
`
`
`
`least one class member is a citizen of a different state than Defendant Zoom. This Court has jurisdiction
`over supplemental state law claims pursuant to 28 U.S.C. § 1367.
`8.
`This Court may exercise jurisdiction over Defendant because they are registered to
`conduct business in California; have sufficient minimum contacts in California; and intentionally avail
`themselves of the markets within California through the promotion, sale, marketing, and distribution of
`their products, thus rendering the exercise of jurisdiction by this Court just and proper.
`9.
`Venue is proper in this District under 28 U.S.C. § 1391 because Defendant is
`headquartered in this district, Defendant conducts substantial business in this district, and a substantial
`part of the events giving rise to Plaintiff’s claims occurred in this District.
`INTRADISTRICT ASSIGNMENT
`10.
`Assignment to the San Jose Division would be proper because Zoom is headquartered in
`San Jose, California, and a substantial part of the events or omissions which give rise to the claims
`alleged herein occurred there.
`
`FACTUAL ALLEGATIONS
`Background
`11.
`Zoom was launched in 2011. The company provides video-conferencing capabilities to
`businesses and individuals.
`12.
`The cornerstone of Zoom’s product line-up is Zoom Meetings.1 Zoom Meetings provide
`video, voice, chat, and content sharing across mobile devices, desktops, laptops, telephones, and
`conference room systems. The Zoom Meetings are effectively calls made online, most commonly with
`video as well as audio. The meetings can have two participants or far more.2
`13.
`Zoom Meetings integrates with numerous other widely used software tools, including
`Dropbox, Google, LinkedIn, Microsoft, Salesforce, and Slack. Zoom advertises unparalleled usability,
`making it “easy to start, join, and collaborate across any device” with “streamlined enterprise-grade
`video conferencing.”3
`
`
`1 https://investors.zoom.us/static-files/09a01665-5f33-4007-8e90-de02219886aa
`2 https://investors.zoom.us/static-files/09a01665-5f33-4007-8e90-de02219886aa
`3 https://web.archive.org/web/20200208202315/https://zoom.us/meetings
`2
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 4 of 24
`
`
`
`14.
`Zoom customers include global Fortune 50 companies and span industry sectors,
`including education, entertainment/media, enterprise infrastructure, finance, government, health care,
`manufacturing, non-profit/not for profit and social impact, retail/consumer products, and
`software/internet.4 As of January 31, 2020, approximately 81,900 Zoom customers had more than 10
`employees.
`15.
`As of December 2019, Zoom had about 10 million peak daily Zoom Meeting
`participants. Following the rapid adoption of Zoom due to COVID-19 related closures, in March 2020
`Zoom reported daily meeting participants topped 200 million.5
`16.
`Zoom users can access Zoom Meetings by creating an account. Zoom offers a basic
`account level for free, and it charges between $14.99 and $19.99 per month, per host, for accounts that
`come with additional features, including the ability to host more participants and to conduct meetings
`lasting longer than 40 minutes. Zoom users can pay for additional add-on features, including additional
`cloud storage and support for conference rooms. In addition, Zoom offers education and healthcare
`plans with their own pricing.
`Users Reasonably Expect Security and Privacy When Using Zoom
`17.
`Because of the very nature of Zoom Meetings, users expect and understand that the
`service comes with privacy and security features. Like talking on the phone, communicating by video
`conference is generally understood to be a private matter. Users reasonably expect that their
`communications will only be heard and seen by those that the users know they are communicating with
`in the meeting.
`18.
`Zoom understands that user privacy and security are important for its customers. As
`Zoom put it in a June 2019 security guide, “Zoom places security as the highest priority in the
`operations of its suite of products and services.”6 At least as far back as November 2019, Zoom’s
`security webpage acknowledged that “millions of people and organizations trust us with their
`communications.”7
`
`
`4 https://investors.zoom.us/static-files/09a01665-5f33-4007-8e90-de02219886aa
`5 https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
`6 https://web.archive.org/web/20200331082306/https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
`7 https://web.archive.org/web/20191104094251/https://zoom.us/security
`3
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 5 of 24
`
`
`
`19.
`Not only does Zoom know its users expect privacy and security, Zoom actively
`cultivates that expectation. Zoom’s June 2019 security guide tells users it “strives to continually
`provide a robust set of security features and practices to meet the requirements of businesses for safe
`and secure collaboration.8 Since November 2019, its security webpage told users that Zoom is “proud
`to exceed industry standards when it comes to your organizations communications.”9 And since at least
`October 2018, the product webpage for Zoom Meetings promised that it was “built for modern teams”
`and allowed users to “meet securely” with end-to-end encryption and other security features and
`settings.10
`20.
`Zoom’s blog includes numerous entries regarding Zoom’s security features, stating, for
`example, “ensuring the privacy and security of our users and their data is our top priority”11 and “Zoom
`is able to give hosts and attendees the security they need to communicate confidently and securely over
`any device.”12
`21.
`In addition to these statements acknowledging the importance of privacy and security,
`Zoom tells users “how Zoom secures your data and protects your privacy.”13 Of particular emphasis,
`Zoom tells potential and current users that Zoom uses “encryption for all meetings.”14 And in
`particular, beginning at least in July 2017, Zoom claimed to provide “industry-standard end-to-end
`Advanced Encryption Standard (AES) encryption using 256-bit keys to protect meetings.”15
`22.
`Zoom has emphasized the end-to-end and 256-bit AES encryption both generally and in
`the context of meetings involving entities in the fields of education, finance, government, and
`healthcare—all of which require privacy and security. On July 12, 2019, in a blog post titled “The Rise
`of Cloud Video Conferencing in Financial Services,” Zoom identified compliance and security,
`including encryption and security certifications, as one of the capabilities that financial services looked
`for in evaluating video conferencing services.16 So, on its finance webpage, Zoom advertises “multi-
`
`
`8 https://web.archive.org/web/20200331082306/https:/zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
`9 https://web.archive.org/web/20191104094251/https://zoom.us/security
`10 https://web.archive.org/web/20181028201834/https://www.zoom.us/meetings
`11 https://blog.zoom.us/wordpress/2020/03/29/zoom-privacy-policy/
`12 https://blog.zoom.us/wordpress/2019/12/04/hosts-admins-secure-zoom-meeting-experience/
`13 https://zoom.us/docs/en-us/privacy-and-security.html
`14 https://zoom.us/meetings
`15 https://web.archive.org/web/20200406001952/https://zoom.us/meetings
`16 https://blog.zoom.us/wordpress/2019/07/12/rise-of-cloud-video-conferencing-in-financial-services/
`4
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 6 of 24
`
`
`
`layer security with 256-bit AES encryption, data sovereignty, and role-based access control;”17 its
`government and education pages explain that “Zoom enables FERPA/HIPAA compliance and provides
`256-bit encryption;”18 and its healthcare page claims “HIPAA (signed BAA) and PIPEDA/PHIPA
`compliance with 256-bit AES encryption.”19 Prior to April 2020, going back at least to March 2019,
`these webpages all advertised “end-to-end 256-bit AES encryption.”20
`23.
`Zoom also advertises security and encryption features on its plans and pricing page.
`Prior to April 2020, and at least as far back as July 2017, the Security listing on this page included
`“AES 256 bits encryption: [e]nd to end security is an added layer of application security. Zoom can
`encrypt all presentation content at the application layer using the Advanced Encryption Standard (AES)
`256-bit algorithm.”21
`Zoom Broke Its Promises and Failed to Protect Security and Privacy
`24.
`Despite its promises, and its knowledge of its users’ expectations, Zoom has consistently
`failed to protect its users’ security and privacy.
`Zoom Failed to Provide the Encryption It Promised
`25.
`Despite its unequivocal representations, Zoom never provided end-to-end encryption for
`Zoom meetings.
`26.
`A Zoom spokesperson recently acknowledged that Zoom did not actually have the
`ability “to enable [end-to-end] encryption for Zoom video meetings.”22
`27.
`Instead, what Zoom was claiming to be end-to-end encryption is commonly referred to
`as transport encryption. With end-to-end encryption, only the participants in a Zoom meeting would
`have the keys required to decrypt meeting content. With transport encryption, data is encrypted as it
`travels over the Internet, but Zoom itself has access to the encryption keys.
`
`
`
`17 https://zoom.us/finance
`18 https://zoom.us/education, https://zoom.us/government
`19 https://zoom.us/healthcare
`20 https://web.archive.org/web/20190211182832/https://www.zoom.us/finance,
`https://web.archive.org/web/20181028201833/https://zoom.us/education,
`https://web.archive.org/web/20190314004506/https://zoom.us/government,
`https://web.archive.org/web/20181205050841/https://www.zoom.us/healthcare
`21 https://web.archive.org/web/20170703052830/https://zoom.us/pricing
`22 https://theintercept.com/2020/03/31/zoom-meeting-encryption/
`5
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 7 of 24
`
`
`
`28.
`Providing end-to-end encryption is possible in video meetings. In fact, despite any
`technical challenges in implementing end-to-end encryption, Apple’s FaceTime does so.23
`29.
`And in the period during which Zoom was telling customers its meetings were end-to-
`end encrypted, Zoom never presented them with the caveat that what Zoom was claiming to be end-to-
`end encryption was what the rest of the industry called transport encryption. As Zoom’s chief product
`officer Odel Gal recently admitted, the company had instead “incorrectly suggest[ed] that Zoom
`meetings were capable of using end-to-end encryption.”24
`30.
`Not only did the lack of end-to-end encryption raise the concern that Zoom or its
`employees would access meeting content, it also raised the concern that other third parties, including
`governments might do so. The Intercept reported that Zoom has failed to publish transparency reports,
`which enumerate the government requests for data they receive, from which countries, and which of
`those they comply with.25
`31.
`For example, a Citizen Lab report found that some Zoom Meetings with participants in
`North America were routed through servers in China, as were the encryption keys used to secure those
`calls.26 Due to Zoom’s failure to implement true end-to-end encryption, state operators in China could
`have had access to the unencrypted meeting data. Shortly after the Citizen Lab report, Zoom
`acknowledged “it is possible certain meetings were allowed to connect to systems in China, where they
`should not have been able to connect.”27 Although Zoom software typically connects to datacenters
`near a user’s region, during heavy network traffic, Zoom uses servers in other regions too, and as Zoom
`began rapidly expanding capacity in February 2020, it included servers in China on the whitelist of
`potential servers for clients outside of China. Zoom admitted that these servers should have never been
`on the whitelist for backup servers available to clients outside of China.
`32.
`The lack of end-to-end encryption was not Zoom’s only broken promise relating to
`encryption. On April 3, 2020, the Citizen Lab at the University of Toronto revealed that Zoom did not
`
`
`23 https://theintercept.com/2020/03/31/zoom-meeting-encryption/
`24 https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
`25 https://theintercept.com/2020/03/31/zoom-meeting-encryption/
`26 See also https://techcrunch.com/2020/04/03/zoom-calls-routed-china/
`27 https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/
`6
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 8 of 24
`
`
`
`use AES-256 encryption as it had advertised.28 Instead, Citizen Lab discovered, Zoom used an AES-
`128 key for its encryption. AES-256 vs. 128 refers to the length of the encryption key, and a 256-bit
`key is exponentially stronger than a 128-bit key.29
`33.
`Even worse, Citizen Lab explained, Zoom used an in-house implementation of the
`algorithm in ECB mode. ECB mode encrypts data in blocks, which preserves patterns from the original
`file in the encrypted version, as illustrated below:30
`
`34.
`In response to the concerns raised by Citizen Lab, Zoom CEO Eric Yuan admitted “we
`can do better with our encryption design.”31
`Zoom Failed to Provide Private and Secure Meetings
`
`35.
`Beyond its broken promises regarding encryption, there have been many indications that
`Zoom’s meetings were not as private and secure as reasonable users would have expected.
`Zoom’s Waiting Room Has Not Been Secure
`36.
`Citizen Lab issued reports on April 3 and April 8, 2020, concerning “a security issue
`with Zoom’s Waiting Room feature.”
`37.
`Zoom advertises Waiting Rooms as an additional security feature. In a February 2020
`blog post, Zoom explained that waiting rooms are “a virtual staging area that prevents people from
`joining a meeting until the host is ready.”32 With the waiting room feature enabled, the meeting host
`
`28 https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
`29 https://www.rapidsslonline.com/blog/encryption-strength-128-bit-ssl-vs-256-ssl/
`30 https://securityboulevard.com/2020/04/simple-illustration-of-zoom-encryption-failure/
`31 https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/
`32 https://blog.zoom.us/wordpress/2020/02/14/secure-your-meetings-zoom-waiting-rooms/
`7
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 9 of 24
`
`
`
`must “admit” all users to the meeting before they gain access to the video chat. Meeting hosts can also
`kick people out of the video chat, sending them back to the waiting room.
`38.
`Citizen Lab reported that when a user joined a Zoom Meeting waiting room, Zoom sent
`the video data stream and decryption key to the user’s computer.33 This could allow the user to extract
`and decrypt the video data stream, allowing them to view the meeting video without being admitted to
`the meeting.
`
`Zoom Bypasses Mac Security
`39.
`Zoom has also recently admitted to several security vulnerabilities.
`40.
`For instance, a security researcher named Jonathan Leitschuh pointed out that a security
`flaw enabled third-parties to both enable and access the webcam in Zoom meetings on Mac
`computers.34 This could trigger a computer to automatically launch a Zoom meeting with no
`notification to the computer’s user.35 Zoom’s video-on preferences increased the danger. Unless a user
`disabled that default setting, a third party could set Zoom to launch with video on. As a result, Mr.
`Leitschuh explained, an attacker exploiting this vulnerability could use Zoom to access a user’s video
`feed without the user’s knowledge.
`41.
`Further, Mr. Leistchuh disclosed, this same vulnerability would have allowed an attacker
`to engage in a denial-of-service attack by repeatedly joining a user to an invalid call.36 If an attacker
`initiated a denial-of-service attack exploiting this vulnerability, the Zoom app would constantly request
`“focus” from the OS, disrupting the user’s ability to continue using their computer.
`42.
`This security flaw resulted from the way in which Zoom is installed on a Mac computer.
`The installation creates a local web server that is undocumented and undisclosed. This web server can
`not only launch a Zoom meeting, but also can re-install the Zoom app even after a user had uninstalled
`it. With the web server installed, the Zoom app could be used to bypass the web browser’s security
`prompt to launch a Zoom meeting.
`
`
`33 https://citizenlab.ca/2020/04/zooms-waiting-room-vulnerability/
`34 https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-
`website-ac75c83f4ef5
`35 https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-
`website-ac75c83f4ef5
`36 https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-
`website-ac75c83f4ef5
`
`8
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 10 of 24
`
`
`
`43.
`In a July 8, 2019 blog post, Zoom acknowledged the security flaw and said that it had
`intentionally created the web server. Zoom claimed the web server could function as “a workaround to
`a change introduced in Safari 12 [the MacOS web browser] that requires a user to confirm that they
`want to start the Zoom client prior to joining every meeting.”37
`44.
`Two days later, Zoom CEO Eric Yuan admitted that “we misjudged the situation” and
`said Zoom would remove the web server installed on Mac clients.38 On the same day as Yuan’s blog
`post, Apple released an automatic MacOS update to uninstall the web server.39 According to security
`researcher Patrick Wardle, this is the only known instance in which Apple used its Malware Removal
`Tool against a popular app.40
`45.
`A distinct security vulnerability emerged publicly in March 2020, when security
`researchers Felix Seele and Patrick Wardle revealed problems with the installer for Zoom’s Mac client.
`First, Seele disclosed that Zoom’s Mac installer used preinstallation scripts to install Zoom without a
`user ever clicking install.41 Once a user opened the Zoom installer on MacOS, preinstallation scripts
`would unpack and install Zoom without the user intentionally installing the app.
`46.
`Seele described the flaw as “very shady” and said it “definitely leaves a bitter aftertaste.”
`The app is installed without the user consenting via a highly misleading prompt to gain root privileges.
`Per Seele, “[t]he same tricks that are being used by macOS malware.”42
`47.
`Zoom’s CEO responded to Seele’s original post via Twitter, saying, “Your point is well
`taken and we will continue to improve.”43 Two days later, Zoom issued a new installer that purportedly
`addressed the security flaws identified by Seele.44
`48.
`In response to Seele’s disclosure, Wardle further tested the Zoom Mac installer and
`concluded that the Mac OS installer created a vulnerability that would allow attackers to gain root
`privileges within MacOS.45 Wardle also identified a separate vulnerability in the Zoom MacOS app
`
`
`37 https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
`38 https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/
`39 https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/
`40 https://objective-see.com/blog/blog_0x56.html, https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/
`41 https://twitter.com/c1truz_/status/1244737672930824193, https://objective-see.com/blog/blog_0x56.html
`42 https://objective-see.com/blog/blog_0x56.html
`43 https://twitter.com/ericsyuan/status/1245104758240632832
`44 https://www.theverge.com/2020/4/2/21204648/zoom-macos-installer-update-privacy-security-concerns
`45 https://objective-see.com/blog/blog_0x56.html
`
`9
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 11 of 24
`
`
`
`that would allow an attacker to piggyback off of Zoom’s access to gain access to a user’s webcam and
`microphone.
`49.
`Zoom acknowledged the security flaws identified by Wardle. As part of an April 2, 2020
`product update, Zoom said it “Resolved an issue where a malicious party with local access could
`tamper with the Zoom installer to gain additional privileges to the computer [and] Resolved an issue
`where a malicious party with local access could gain access to a user’s webcam and microphone.”46
`Zoom Bypasses Security on Cisco Endpoints
`50.
`On November 25, 2019, Cisco published a blog post47 alerting its customers to a
`vulnerability created by Zoom that provided an access point attackers could use to control a Cisco
`video endpoint, located inside a corporate firewall, without obtaining authentication.48 Cisco said the
`Zoom feature was “not a Cisco supported solution that meets our standards of enterprise-grade
`security.”49
`51.
`The security flaw stemmed from how Zoom implemented its connection to the Cisco
`video endpoint. The Zoom Connector used Cisco video endpoints to join Zoom meetings. A user would
`install the Zoom Connector on a Windows server located inside an organization’s firewall. During the
`installation, the user entered passwords for the Cisco video endpoint. The credentials were stored in the
`Zoom Connector so that the Connector could control the Cisco video endpoint.
`52.
`The Zoom Connector also created a unique URL for each Cisco video endpoint. By
`navigating to one of these URLs on the Zoom cloud, a user could then control the Zoom Connector,
`and via the Zoom Connector, control the Cisco video endpoint. This URL was unsecured and allowed
`anyone with the URL to control the Cisco video endpoint. Security analyst Brent Kelly explained,
`“[t]he Zoom Connector essentially creates a sort of tunnel between the [Cisco] video endpoint browser
`interface and the Zoom cloud.”50
`53.
`In a November 26, 2019 blog post, Zoom admitted “If a bad actor were to . . . obtain that
`URL, for example through an exploit of the administrator’s browser, they could access the device
`
`
`46 https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-macOS
`47 https://blogs.cisco.com/collaboration/our-focus-on-security-in-an-open-collaboration-world
`48 https://www.nojitter.com/video-collaboration-av/zoom-gives-way-video-device-security-breach-again
`49 https://blogs.cisco.com/collaboration/our-focus-on-security-in-an-open-collaboration-world
`50 https://www.nojitter.com/video-collaboration-av/zoom-gives-way-video-device-security-breach-again
`10
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 12 of 24
`
`
`
`administration functions without logging in. The URL would continue to be accessible even after the
`administrator had logged out or changed their password on the Zoom web portal.”51
`Recorded Zoom Meetings Accessible Online
`54.
`Zoom allows meeting hosts to record videos and save them to their computer or online.
`Other meeting participants are notified when the host starts to record but are not required to consent to
`the recording.
`55.
`Due to lax security protocols, Zoom did not password-protect recorded meetings by
`default and exacerbated the problem by defaulting to nearly identical naming structures for every
`recording.
`56.
`As a result, thousands of recorded Zoom meetings have been viewable on the Internet.
`These recorded meetings were stored online without a password.52 One search for recordings, using
`Zoom’s default naming convention, revealed more than 15,000 results.53 The Washington Post reported
`that the accessible recorded meetings included one-on-one therapy sessions; a training orientation for
`workers doing telehealth calls that included people’s names and phone numbers; small-business
`meetings that included private company financial statements; and elementary school classes, in which
`children’s faces, voices, and personal details were exposed.54 Per the Washington Post, “Many of the
`videos include personally identifiable information and deeply intimate conversations, recorded in
`people’s homes. Other videos include nudity, such as one in which an aesthetician teaches students how
`to give a Brazilian wax.” 55
`57.
`The Washington Post reported that “because Zoom names every video recording in an
`identical way, a simple online search can reveal a long stream of videos elsewhere that anyone can
`download and watch.”56 The article reported that several participants in the videos were contacted for
`comment, and they said they had no idea how their videos became available online.57
`Zoom Meetings Have Been Frequently Invaded by Malicious Actors
`
`
`51 https://blog.zoom.us/wordpress/2019/11/26/zoom-connector-resolved-security-issue/
`52 https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
`53 https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
`54 https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
`55 https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
`56 https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
`57 https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
`11
`CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`CASE NO. 5:20-CV-2893
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 5:20-cv-02893-VKD Document 1 Filed 04/27/20 Page 13 of 24
`
`
`
`58.
`Zoom created a default setting that permits all meeting participants to share their
`screens. As a result, attackers have had the ability to send any image or material to all participants in a
`meeting.
`59.
`This led to such common abuse that various reports have noted a trend in what is now
`known as “Zoombombing,” a practice in which attackers join Zoom meetings and then broadcast
`indecent content, hate symbols, or other shocking images.
`60.
`Zoombombers can not only access meetings through publicly shared meeting links, but
`may also access them by using automated software that attempts possible Zoom Meeting IDs.58 Each
`Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Hackers can simply
`automate the guessing of random IDs within that space of digits. Security experts at Check Point
`Research found they could predict about four percent of randomly generated Meeting IDs. The Check
`Point researchers said enabling passwords on each meeting was the only thing that prevented them
`from randomly finding a meeting. As one security article put it, “a crazy number of meetings . . . are
`not being protected by a password.”59
`61.
`Zoom had also failed to block repeated attempts to scan for meeting IDs. And Zoom
`software automatically indicated whether a meeting ID was valid or invalid, which had the effect of
`facilitating would-be Zoombombers in their efforts to access meetings.
`62.
`Trent Lo, a security professional, worked with others to demonstrate the ability to access
`Zoom meeting room information without having to log in. Lo said Zoombombers could thus readily
`find approximately 100 meetings per hour, and with added resources, would-be Zoombommbers “could
`probably discover most of the open Zoom meetings on any given day.” Per Lo, his success rate of
`opening a random meeting of 14 percent. Only password-protected meetings could not be accessed. But
`Zoom had not previously enabled passwords by default in all meetings.
`
`
`58 https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
`59 https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
`12
`CL