There’s A Major Security Vulnerability In Zoom’s Desktop App. The Company Said It’s A Feature, Not A Flaw.


13 bookmarks. First posted by josephschmitt 7 days ago.


Saitta criticized these behaviors, saying they are “not justifiable in these cases and come with significant risk.” She recommends that people remove Zoom from their systems and refrain from using the app until the company delivers a version without that always-on web server. “This is an excellent example of what my friend Deb Chachra calls ‘nonconsensual technology,’” she told BuzzFeed News. “It’s a sadly common attitude among tech companies that what the user wants can be ignored on a whim.”
technology 
2 days ago by fpaulus
Video conferencing service Zoom left millions of users exposed to a security flaw that could allow attackers easy access to its users laptop cameras and microphones. The vulnerability, which allows attackers to initiate a video-enabled call on a Mac without user consent, was first reported by software engineer Jonathan Leitschuh yesterday. Leitschuh told BuzzFeed News that the attack also affects Windows users who have opened custom URLs from Zoom on Chrome browsers.
...
Users can click a Zoom link to auto-join a meeting. Users can also, Leitschuh discovered, visit a website with what’s called an iframe embed hiding behind a malicious advertisement. Once the embed loads on the website, the Zoom app will launch and, depending on the settings of the user, give an attacker and any other participants in that meeting immediate access to the victim’s camera and microphone — without requiring a single click from the victim.
...
Not only did Zoom allow attackers access to the video cameras of its Mac app users, but it also left its web server running in the background, even after the user uninstalled the Zoom app. BuzzFeed News also verified that the server also reinstalled the Zoom app when a meeting link was clicked, without notifying the user, if the Zoom app had been deleted from the machine.
mac  video  security  app  privacy  exploit  fail 
6 days ago by some_hren
Zoom’s video conferencing service is used by Nasdaq, the Centers for Disease Control and Prevention, the US Department of Homeland Security, and the US Department of Energy, among others.
Video conferencing service Zoom left millions of users exposed to a security flaw that could allow attackers easy access to its users laptop cameras and microphones. The vulnerability, which allows attackers to initiate a video-enabled call on a Mac without user consent, was first reported by software engineer Jonathan Leitschuh yesterday. Leitschuh told BuzzFeed News that the attack also affects Windows users who have opened custom URLs from Zoom on Chrome browsers.
Leitschuh reported the vulnerability to Zoom in March. The company responded by releasing a fix for an unrelated flaw that would allow a hacker to trigger an endless loop of meeting requests. It left the video camera issue unaddressed.
In a blog post updated Tuesday afternoon, Zoom said it will release a patch for the vulnerability by July 11.
Earlier in the day, Zoom chief information security officer Richard Farley told BuzzFeed News that there have been no reports of the video camera access attack based on customer support records, but also admitted that “Meeting joins happen all the time. Millions a day. There isn’t really a way for us to look at the logs to determine whether that was an intentional join by the user or the user was phished into joining.”
security  privacy  zoom  webcam  mac  bug  hack  apps 
6 days ago by rgl7194
Unexpectedly seeing the name of someone I know (hi ) in an article I was reading anyway makes me 😀.
from twitter_favs
7 days ago by miaeaton
Zoom’s video conferencing service is used by Nasdaq, the Centers for Disease Control and Prevention, the US Department of Homeland Security, and the US…
from instapaper
7 days ago by jrdodds
Zoom Considers Their Major Security Vulnerability a Feature, Not a Flaw
7 days ago by nimprojects
via Feedbin Starred Entries for wangjunyu@gmail.com
IFTTT  Feedbin  Starred  Entries  for  wangjunyu@gmail.com 
7 days ago by junyu
Nicole Nguyen, reporting for BuzzFeed News:

Not only did Zoom allow attackers access to the video cameras of its Mac app users, but it also left its web server running in the background, even after the user uninstalled the Zoom app. BuzzFeed News also verified that the server also reinstalled the Zoom app when a meeting link was clicked, without notifying the user, if the Zoom app had been deleted from the machine.

Saitta criticized these behaviors, saying they are “not justifiable in these cases and come with significant risk.” She recommends that people remove Zoom from their systems and refrain from using the app until the company delivers a version without that always-on web server. “This is an excellent example of what my friend Deb Chachra calls ‘nonconsensual technology,’” she told BuzzFeed News. “It’s a sadly common attitude among tech companies that what the user wants can be ignored on a whim.”

Simply outrageous.

 ★ 
via:daringfireball 
7 days ago by rufous
from Daring Fireball

Nicole Nguyen, reporting for BuzzFeed News:

Not only did Zoom allow attackers access to the video cameras of its Mac app users, but it also left its web server running in the background, even after the user uninstalled the Zoom app. BuzzFeed News also verified that the server also reinstalled the Zoom app when a meeting link was clicked, without notifying the user, if the Zoom app had been deleted from the machine.

Saitta criticized these behaviors, saying they are “not justifiable in these cases and come with significant risk.” She recommends that people remove Zoom from their systems and refrain from using the app until the company delivers a version without that always-on web server. “This is an excellent example of what my friend Deb Chachra calls ‘nonconsensual technology,’” she told BuzzFeed News. “It’s a sadly common attitude among tech companies that what the user wants can be ignored on a whim.”

Simply outrageous.

 ★ 
ifttt  daringfireball 
7 days ago by josephschmitt