Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Conferencing Application Zoom Allows Remote Activation of Your Mic and Cam Without Questions

posted by chromas on Wednesday July 10 2019, @11:47AM   Printer-friendly
from the Now-you-see-me-now-you-still-do dept.

pkrasimirov writes:

InfoSec Write-ups:

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

[...] This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.

[...] According to Zoom, they will have a fix shipped by midnight tonight pacific time removing the hidden web server; hopefully this patches the most glaring parts of this vulnerability. The Zoom CEO has also assured us that they will be updating their application to further protect users privacy.

Proof of concept:
https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
WARNING: Clicking this link starts a Zoom video call, no questions asked!

Original Submission

 
This discussion has been archived. No new comments can be posted.
Conferencing Application Zoom Allows Remote Activation of Your Mic and Cam Without Questions | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by pkrasimirov on Wednesday July 10 2019, @03:00PM (3 children)

    by pkrasimirov (3358) Subscriber Badge on Wednesday July 10 2019, @03:00PM (#865393)

    Macs get video and audio spying, Windows -- only audio. Both are vulnerable.

    Another misunderstanding: If you don't click on Zoom links you are fine. That's not true, as demonstrated by the security researcher, any website can add a hidden iframe to a Zoom "meeting" and the users will "auto-join".

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Wednesday July 10 2019, @03:57PM (2 children)

    by Anonymous Coward on Wednesday July 10 2019, @03:57PM (#865413)

    Won't you notice when zoom starts running?

    • (Score: 2) by Mykl on Wednesday July 10 2019, @09:19PM (1 child)

      by Mykl (1112) on Wednesday July 10 2019, @09:19PM (#865506)

      Yes, it's pretty obvious that Zoom has launched. This exploit ('feature') is pretty bad, but it's not really at 'spyware' level.

      • (Score: 2) by Mykl on Wednesday July 10 2019, @09:23PM

        by Mykl (1112) on Wednesday July 10 2019, @09:23PM (#865509)

        Sorry, forgot to add:

        But the thing I find most disturbing out of all of this is the webserver that is left behind after an uninstall, WITHOUT INFORMING THE USER. That's just poor form, and I would hope that Apple would be having a 'little chat' about the developer's license and access to the App Store following that.