12/21/2023 0 Comments Zoom clientfor macYuan said that to make sure something like this doesn’t happen again, that within the next few weeks it will go live with a program for the public to disclose system vulnerabilities and the company will take steps to improve its escalation process when issues are uncovered. He defended the decision as a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join-meetings, which is our key product differentiator.” Yuan said Zoom has a “planned release” for the weekend that will “address video on by default.” Basically, when you use Zoom for the first time, you can select to always turn our video off, and that will be the saved preference.įarley on Monday explained how this happened in the first place: Zoom said it developed a local web server as a “workaround” after Apple changed its Safari web browser to require users to confirm they wanted to join video calls before launching them. He said that on Tuesday, Zoom had updated its Mac app to remove the local web server and allow users to manually uninstall Zoom, and on Wednesday, Apple itself issued an update to remove the Zoom web server from all Macs. But in a separate post on Wednesday, Zoom founder and CEO Eric Yuan said the company had “misjudged the situation” and failed to act quickly enough. In response to a request for comment on Monday, Zoom initially pointed Recode to a blog post from the company’s chief information security officer Richard Farley, in which he disputed some of Leitschuh’s claims and downplays the severity of the vulnerability. This is a big deal: The flaw could expose up to 750,000 companies and the millions of people who use Zoom. According to Leitschuh, Zoom made attempts to patch the vulnerability by preventing an attacker from turning on a video camera, but he was able to discover workarounds that would permit an attacker to force a target to join a call and activate their webcam. But if someone doesn’t get the option to join the meeting in the first place, that’s not much of a choice. Leitschuh said that when he initially flagged the vulnerability, Zoom defended itself by implying it wanted customers to be able to choose to join a meeting with their microphone and video automatically enabled. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. On Monday, people started to try out the vulnerability … and it worked. As The Verge explains it, the Zoom app “installs a web server on Macs that accepts requests regular browsers wouldn’t.” In other words, if you have Zoom installed on your Mac - or if you ever had it - a website could spy on you or undertake a denial of service (DoS) attack, where a bad actor could basically hit a user with a barrage of meeting requests and lock up his or her computer. This re-install ‘feature’ continues to work to this day. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.Īdditionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. Here is, basically, what Leitschuh uncovered: In a Medium post, Leitschuh said he initially disclosed the vulnerability to Zoom on March 26, 2019, but the company still failed to resolve it beyond an initial fix he’d first suggested. On Monday, security researcher Jonathan Leitschuh publicly disclosed a vulnerability in the video-conferencing program Zoom that apparently would allow someone to turn on your Mac’s webcam and force you to join a Zoom call without your permission. If you have a Mac and you have ever used Zoom video conferencing, you might have a problem - though as of Thursday both Zoom and Apple say they’re fixing it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |