from the Now-you-see-me-now-you-still-do dept.
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
[...] This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.
[...] According to Zoom, they will have a fix shipped by midnight tonight pacific time removing the hidden web server; hopefully this patches the most glaring parts of this vulnerability. The Zoom CEO has also assured us that they will be updating their application to further protect users privacy.
Proof of concept:
https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
WARNING: Clicking this link starts a Zoom video call, no questions asked!
Related Stories
Zoom has had a meteoric rise as a result of the SARS-CoV-2 outbreak. Jitsi and other useful teleconferencing tools are not very well known, though still widely used. Nearly all the buzz has been about the newcomer instead, but few have actually evaluated it. One group has. The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, at the University of Toronto, has investigated Zoom briefly, covering both the technology, especially its lack of encryption, and the company itself:
Key Findings
- Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
- The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
- Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.
In a nutshell, throughout the mad rush to adopt teleconferencing software, due diligence has been largely abandoned and licenses left unread and software unevaluated. More scrutiny was needed, and still is needed, when acquiring and deploying software. That goes double for communications software.
Previously:
- Elon Musk's SpaceX Bans Zoom over Privacy Concerns (2020)
- Now That Everyone's Using Zoom, Here Are Some Privacy Risks You Need to Watch Out For (2020)
- Working from Home: Lessons Learned Over 20 Years (2020)
- Conferencing Application Zoom Allows Remote Activation of Your Mic and Cam Without Questions (2019)
(Score: 1, Funny) by Anonymous Coward on Wednesday July 10 2019, @12:24PM (6 children)
I use Windows(tm)
(Score: 3, Funny) by coolgopher on Wednesday July 10 2019, @01:04PM (1 child)
Ah, so you opt for front-dooring instead! :D
(Score: 1, Touché) by Anonymous Coward on Wednesday July 10 2019, @01:38PM
You can try to look in my Windows, but my front door is locked (tape over the laptop camera).
(Score: 2) by pkrasimirov on Wednesday July 10 2019, @03:00PM (3 children)
Macs get video and audio spying, Windows -- only audio. Both are vulnerable.
Another misunderstanding: If you don't click on Zoom links you are fine. That's not true, as demonstrated by the security researcher, any website can add a hidden iframe to a Zoom "meeting" and the users will "auto-join".
(Score: 0) by Anonymous Coward on Wednesday July 10 2019, @03:57PM (2 children)
Won't you notice when zoom starts running?
(Score: 2) by Mykl on Wednesday July 10 2019, @09:19PM (1 child)
Yes, it's pretty obvious that Zoom has launched. This exploit ('feature') is pretty bad, but it's not really at 'spyware' level.
(Score: 2) by Mykl on Wednesday July 10 2019, @09:23PM
Sorry, forgot to add:
But the thing I find most disturbing out of all of this is the webserver that is left behind after an uninstall, WITHOUT INFORMING THE USER. That's just poor form, and I would hope that Apple would be having a 'little chat' about the developer's license and access to the App Store following that.
(Score: 2) by goodie on Wednesday July 10 2019, @01:38PM (1 child)
A third party was inviting me to use zoom for a videoconference in a couple of days. we'll use something else instead. I would not have known otherwise, so thanks SN :)
(Score: 2, Insightful) by Anonymous Coward on Wednesday July 10 2019, @01:53PM
Just don't install it on a pc with built in mic and camera. Mine are unplugged unless in use. The malware would have to do something fancy with using the speakers as a mic to work.
(Score: 4, Funny) by All Your Lawn Are Belong To Us on Wednesday July 10 2019, @02:12PM (2 children)
I just got this email from a dude who said I've been haxxored and he filmed me watching videos and I'm supposed to know the kind he means... I've got Zoom on my system so now I guess I have to pay him 1 BTC so that my dirty little secret won't be exposed!!!!!
Who knew that a Taylor Swift and Meghan Trainor addiction could become so expensive?????
This sig for rent.
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @12:25AM
I'm sure both girls 'mow their lawns' bald, so no more lawn for you.
(Score: 0) by Anonymous Coward on Thursday July 11 2019, @03:02AM
Did you see the one where they did that to a guy, threatened to send pictures of him naked and wanking to family and friends, for which his reply amounted to "they already know"
(Score: 0) by Anonymous Coward on Wednesday July 10 2019, @07:21PM
Translation: What?!? These people have a huge team of lawyers already lined up to take this class action suit? Please don't sue the shit out of us!!!
(Score: 0) by Anonymous Coward on Wednesday July 10 2019, @09:57PM (1 child)
if you're using closed sourced software for critical business functions you deserve to be compromised and have all your enemy funds taken.
(Score: 1) by agr on Thursday July 11 2019, @07:34AM
Apple has already fixed the problem. How long do FOSS fixes take?