A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
[...] This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.
[...] According to Zoom, they will have a fix shipped by midnight tonight pacific time removing the hidden web server; hopefully this patches the most glaring parts of this vulnerability. The Zoom CEO has also assured us that they will be updating their application to further protect users privacy.
Proof of concept:
https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
WARNING: Clicking this link starts a Zoom video call, no questions asked!
(Score: 2) by goodie on Wednesday July 10 2019, @01:38PM (1 child)
A third party was inviting me to use zoom for a videoconference in a couple of days. we'll use something else instead. I would not have known otherwise, so thanks SN :)
(Score: 2, Insightful) by Anonymous Coward on Wednesday July 10 2019, @01:53PM
Just don't install it on a pc with built in mic and camera. Mine are unplugged unless in use. The malware would have to do something fancy with using the speakers as a mic to work.