Video conferencing app Zoom has a major security flaw in its Mac client,video lucah artis indonesia maya estiyanty letting any website turn on your Mac's camera without a warning, security researcher Jonathan Leitschuh claims.
In a blog post Monday, Leitschuh detailed the vulnerability, which he says he'd disclosed to Zoom more than 90 days ago, and the company still hasn't fixed it.
SEE ALSO: Google Nest camera security flaw allows former owners to observe others' homesThe problem lies in Zoom's usage of a web server on users' local machines. This makes some of Zoom's cool features possible, for example, clicking on a simple link in your web browser automatically starts up the app.
Having an app install and run a web server on a user's machine with an undocumented API "feels incredibly sketchy," Leitschuh says. But there's more. According to Leitschuh, "this web server can do far more than just launch a Zoom meeting. (...) this web server can also re-install the Zoom app if a user has uninstalled it."
This is bad by itself, but Leitschuh discovered a vulnerability that let him launch a Zoom call, with video enabled, on a user's machine without permission. The same vulnerability allows the attacker to perform a DOS (denial of service) type attack on a user's machine.
Leitschuh says that he'd contacted Zoom on March 26, offering the company a quick fix for the vulnerability. After a lot of back and forth, Zoom partially fixed the flaw, but Leitschuh was able to bypass their fix, after which the company offered no additional fix. The security issue is still present in the latest version of Zoom for Mac, 4.4.4.
In a blog post Monday, Zoom defended its app's functionality, claiming that users are prompted to turn their video off when joining their first meeting, and can set the video to off in subsequent meetings; if they do so, it would be impossible for the host or other participants to turn their camera on. Furthermore, Zoom claims, "because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately."
The company said they will give users more control of their video settings in an upcoming, July 2019 release.
The company also addresses the presence of the web server on user machines, saying it's a "workaround to a change introduced in Safari 12" and a "legitimate solution to a poor user experience problem."
Zoom has assessed that both the video call issue and the DOS issue were "low risk," which is why the company decided not to change the app's functionality. The company also promised it will launch a public vulnerability disclosure program in the "next several weeks."
The main question users should be asking themselves is whether they want to sacrifice their system's security for a bit of added functionality -- likely, functionality they can live without. Zoom's ability to re-install itself without user permission after it's been uninstalled is particularly worrisome. Since there's no official fix for the issue, you can remove Zoom's web server from your machine by following the steps described in Leitschuh's post.
Topics Cybersecurity
Previous:Story of Struggle
OBITUARY: George Aki, 103; 442nd RCT Army Chaplain
The very best Instagram posts of 2019 (so far)
The biggest asteroids to ever hit Earth were terrifying
Donald Trump Jr.'s worst moments of 2019 (so far)
Hiroshi Miyamura 2018 Scholarships
How astronauts make Thanksgiving dinner in space
Here are the best memes of 2019 (so far)
Brazen L.A. hawk refuses to leave the hood of a moving car
Keiro Awards $500k in Grants to 41 Nonprofit Organizations
Donald Trump Jr.'s worst moments of 2019 (so far)
JACL Responds to Convention Hotel’s Use of Slur on Receipt
How the internet gave me a vaginal tightness complex
Eliza Byard fights so that every LGBTQ student can be themselves
How to not get sucked into the online skincare vortex
JCCH President/Executive Director Announces Retirement
Wendy's just sent everyone a mysterious Google Calendar invite for a lunch date
11 times Jake Gyllenhaal's Instagram game was off the charts
Adam Rippon on Trump, Taylor Swift, and coming out
JANM Condemns ‘Cruel’ Family Separation Policy
The world's ugliest dog for 2019 is a real Scamp
13 hilariously viral moments from the UK election campaign 2017Jerry Seinfeld awkwardly denying Kesha a hug is like a modern day 'Seinfeld' plotIvanka Trump's Starbucks order is the wellAll hail James Comey's 'resting Comey face'All the best signs from the March for Truth, the protest against Trump's ties to RussiaJerry Seinfeld awkwardly denying Kesha a hug is like a modern day 'Seinfeld' plotApple gives health updates and watchOS news at WWDCAriana Grande's mom was spotted comforting fans during the Manchester benefit concertUber is refunding passengers who used the service after the London terror attack'To me, they're not even people:' Eric Trump attacks his dad's critics The Fear is Gone: My PC is my Next Boy Afraid Rebels with a Cause NYT Connections hints and answers for October 27: Tips to solve 'Connections' #504. James Webb telescope flexes its muscle with this deep, deep view of space Denver Nuggets vs. Los Angeles Clippers 2024 livestream: Watch NBA for free PC Games That Weren't Cancelled, But Should Have Been Cincinnati vs. Colorado football livestreams: kickoff time, streaming deals, and more NYT Connections Sports Edition hints and answers for October 27: Tips to solve Connections #34. Webb telescope sees galaxy collision brighter than 1 trillion suns
0.1635s , 9883.0234375 kb
Copyright © 2025 Powered by 【video lucah artis indonesia maya estiyanty】Enter to watch online.Zoom lets a website turn on your Mac's camera without permission,Global Perspective Monitoring
