29 votes

The Mac client for Zoom (video-conferencing app) allows any site to enable your camera and connect you to a call, and leaves a web server running on your machine even if you uninstall it

Posted July 9, 2019 by Deimos

Tags: security, apple, zoom, mac, video conferencing, author.jonathan leitschuh, source.medium

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Link information

This data is scraped automatically and may be incorrect.

Title: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
Authors: Jonathan Leitschuh
Published: Jul 9 2019
Word count: 1330 words

4 comments

ammut
July 9, 2019
Link
This is a huge deal. Zoom has been taking strides to become the #1 conference platform. This will set them back quite a bit.

This is a huge deal. Zoom has been taking strides to become the #1 conference platform. This will set them back quite a bit.

9 votes
[2]
Deimos (OP)
July 9, 2019
Link
A couple of official responses from Zoom: Blog post: Response to Video-On Concern "Public statement" (PDF): https://assets.zoom.us/docs/pdf/Zoom+Response+Video-On+Vulnerability.pdf
A couple of official responses from Zoom:
- Blog post: Response to Video-On Concern
- "Public statement" (PDF): https://assets.zoom.us/docs/pdf/Zoom+Response+Video-On+Vulnerability.pdf
5 votes
1. spit-evil-olive-tips
  July 9, 2019 (edited July 9, 2019)
  Link Parent
  From their blog post: Bullshit. Fixed it for them:
  
  From their blog post:
  
  This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
  
  Bullshit.
  
  Fixed it for them:
  
  This is our attempt at circumventing a new security feature in Safari 12 that requires a user to confirm their intentions before a website could start up arbitrary code as that user on that machine. We believe that we're more important than this security feature, so we figured out a way to get around it. Our competitors also open up gigantic security holes in your system without telling you, so if this makes you feel like switching away from us to another video-conferencing provider, lol don't bother
  
  21 votes
Deimos (OP)
July 9, 2019
Link
Zoom's response blog post has a number of updates at the top now, including saying that they released an update about an hour and a half ago that totally removes the local webserver.

Zoom's response blog post has a number of updates at the top now, including saying that they released an update about an hour and a half ago that totally removes the local webserver.

1 vote