[ad_1]
If you have a Mac and have already used Zoom video conferencing, you may have a problem.
On Monday, security researcher Jonathan Leitschuh publicly revealed a vulnerability in the Zoom videoconferencing program that would apparently allow someone to activate your Mac's webcam and force you to join a Zoom call without your permission. In a Medium publication, Leitschuh said he initially revealed the vulnerability to Zoom on March 26, 2019, but that the company still had not solved the problem beyond the solution he had proposed in first.
Here, basically, what Leitschuh discovered:
This vulnerability allows any Web site to forcibly attach a user to a Zoom call, with its video camera enabled, without the permission of the user.
In addition, this vulnerability would have allowed any web page to return a Mac under DOS (denial of service) by repeatedly associating a user with an invalid call.
In addition, if you have already installed the Zoom client, and then uninstalled it, you still have a localhost web server on your computer that will happily reinstall the Zoom client for you, without any user intervention, besides visiting a web page. . This reinstallation "feature" continues to work today.
In other words, if Zoom is installed on your Mac – or if you already had it – a website could spy on you or start a DoS attack, in which a bad actor could in principle Hit a user with a deluge to answer requests and lock his computer. As explained by The Verge, the Zoom application "installs on Mac a Web server that accepts queries that conventional browsers would not do".
On Monday, people started to try vulnerability … and it worked.
Leitschuh said that when he initially reported this vulnerability, Zoom was defended by wanting customers to choose to join a meeting with their microphone and video automatically enabled. But if someone does not have the choice to attend the meeting, it's not really a choice. According to Leitschuh, Zoom attempted to fix the vulnerability by preventing an attacker from activating a video camera, but he was able to discover solutions allowing the attacker to force a target to join a call and to activate her webcam.
This is a big problem: the flaw could expose up to 750,000 businesses and millions of Zoom users.
In response to a request for comment, Zoom pointed out to Recode an article by Richard Farley, the company's information security officer, in which he challenged some of Leitschuh's claims and downplayed the severity of the vulnerability. He added that if a user involuntarily joins a Zoom meeting, it would be "obvious" for the user to see it appear, as this would not show up on his screen and that it would not appear. There was "no indication" that the attacks described by the Medium publication had already taken place. He added that Zoom's security team reacted to the initial flag in 10 minutes and determined that the issues were "low risk".
Farley also explained how it happened. Zoom explained that he had developed a local Web server as a "workaround" after Apple changed its Safari web browser to force users to confirm that they wanted to join video calls before they launch. He defended this decision as "a legitimate solution to a poor user experience, allowing our users to organize one-click meetings by joining meetings, which is our main product differentiator."
Zoom said it released a fix for Denial of Service attacks in May, but since Zoom does not believe this poses a real risk to users, the update is optional. During the month of July, Zoom will launch a version of the application that will record a user's video preferences from their first meeting for all upcoming meetings, which means they can turn off their video settings and keep them so.
Nevertheless, users were troubled by the announcement of this security breach.
Part of Zoom's answer below. Basically: an update of Safari (probably for security reasons?) Added an extra click to join a meeting. So Zoom has added to your computer a running web server that allows you to register with one click. And this is not sorry.
Really. pic.twitter.com/GoSHzAci3Y
– Dieter Bohn (@backlon) July 9, 2019
Let's not neglect the root of the problem here: Zoom designed its application so that the person controlling the meeting decides if your video camera is on, NOT YOU.
This was done on purpose by their product designers.– SwiftOnSecurity (@SwiftOnSecurity) July 9, 2019
What to do about Zoom
Since Zoom did not completely solve the vulnerability problem in his software, Leitschuh explained how to fix it himself. In principle, you can disable the Zoom ability by default to activate your webcam when you join a meeting. He also introduced some terminal commands at the bottom of the article and explained how to check if your fix works.
Founded in 2011, Zoom was released in April – after Leitschuh reported this flaw for the first time. The company beat its estimates in its first quarterly earnings report as a public company in June and was one of the largest technology IPOs of the year. It is not yet known to what extent this vulnerability will affect his business as a whole, although his share price fell by around 1% on Tuesday.
Recode and Vox have joined forces to discover and explain how our digital world is changing – and changing us. Subscribe to Recode podcasts to hear Kara Swisher and Peter Kafka lead the tough discussions that the technology industry needs today.
[ad_2]
Source link