[afloatboat]

Then again, how did this happen? In my scenario you have a product owner asking for specific functionality to be added, a (group of) developers gives their estimation of how much effort/time this will take and some time later it gets built.

So when the product owner asked the developers to add the ability to log in with Facebook, they looked at the technical documentation of the Facebook SDK, but probably not much thought went into how Facebook would channel through data even for non-facebook users. And if the technical staff did not communicate this to the PO they might not have been technically savvy enough to consider this a problem/threat.

I don't want to defend Zoom, I've actually also been pushing against using it in our company. But I also don't agree with the idea that every bad thing that comes out of Zoom was done with malicious intentions. I think it speaks more about software development in general. Don't forget that every website with Google Analytics, Facebook Pixel, Facebook Like buttons, Twitter embeds have basically been doing the same thing for years.

[meowface]

I think it's extremely likely not a single one of their decisions was done with malicious intentions. But that's also the case for all the other software and systems out there riddled with security and/or privacy issues. Negligence and ignorance is way better than maliciousness, but is still really bad when you have so much power and reach.

[SAI_Peregrinus]

The thing is it's impossible to tell. They deliberately turned off library verification security in their OSX app. They deliberately bypassed standard installation controls in that installer. The easiest way to hide a deliberate backdoor is to make it look like an oversight. So from a practical perspective it's sensible to treat the decisions as malicious, even if they weren't intended to be.