Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!


104 bookmarks. First posted by lydialaurenson 9 days ago.


via Pocket - Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! - Added July 08, 2019 at 10:11PM As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.
IFTTT  Pocket 
6 days ago by peteyreplies
Zoom videoconferencing app contains major vulnerability ↦
from twitter
7 days ago by pixel
RT : Got a Mac? Used Zoom video calling (ever)?

Read this:

TL;DR: You've been pwned. Uninstall…
from twitter
7 days ago by javierruiz
As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. via Pocket
IFTTT  Pocket 
8 days ago by archizoo
Jonathan Leitschuh:
<p>This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.</p>


Zoom puts a server with an open port on your machine, and doesn't wipe it if the app is deleted, all so you won't have to click "OK" to access your camera. It can re-download the app if you delete; a host can force your video camera on when you join a meeting. It's an unbelievable hot mess of security vulnerabilities, to which it responded with a <a href="https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/">mea not so much culpa</a> ("There is only one scenario where a Zoom user’s video is automatically enabled upon joining a meeting. Two conditions must be met: 1) The meeting creator (host) has set their participants’ video to be on AND 2) The user has not checked the box to turn their video off" 🙄). Zoom really doesn't understand it. But it's a publicly traded company whose mission is "make video communications frictionless"; notice that "frictionless" doesn't have to mean "secure", nor does it contain any concern about collateral damage in getting rid of friction.
security  vulnerability  hacking  zoom 
8 days ago by charlesarthur
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
from twitter
8 days ago by tonyatmatc
RT : Yikes. You may want to uninstall Zoom (and the server it secretly creates on your computer).
from twitter
8 days ago by andygeers
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000…
from instapaper
8 days ago by davegullett
So, if you use zoom - there is a nasty vulnerability right now on Mac:
from twitter
8 days ago by codepo8
zoom vulnerability
zoom 
8 days ago by herndonj
Favorite tweet:

The flipside to responsible disclosure: failure to patch a critical vulnerability in 90 days makes a software vendor irresponsible and it's a good thing for their irresponsibility to become public knowledge sooner than later https://t.co/9i2ZU5XZp1

— Tony "ABOLISH ICE" Arcieri (@bascule) July 8, 2019
IFTTT  Twitter 
8 days ago by Ryanvlower
Favorite tweet:

Everyone is sharing the Zoom vuln, but the crucial bit is this :$> lsof -i :19421$> kill -9
— Jo Hanna Pearce (@jdpearce) July 9, 2019

http://twitter.com/jdpearce/status/1148507087862947840
IFTTT  Twitter 
8 days ago by chaoxian
As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a…
security  zoom  macos 
8 days ago by phantom4
Fixing Zoom creepyness.
macos  macapps 
8 days ago by devolute
RT : Excuse me, what. Get the fuck out.
from twitter
8 days ago by quartzcity
Mac Zoom client vulnerability allows malicious website to access your camera
loopinsight  spike 
8 days ago by edan
As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. via Pocket
Pocket  must-read  toread 
8 days ago by traggett
As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a…
8 days ago by rdump
Technical explanation by the discoverer. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.
8 days ago by dartagan
detailed breakdown on the Zoom flaw and some experiments exposing it
Quicklinks 
8 days ago by yewknee
Denial of service POC for Zoom. GitHub Gist: instantly share code, notes, and snippets.
Zoom  Zero  Day  Vulnerability 
8 days ago by dhinojosa
the confid cryptographic parameter described does not look impleme…
from twitter_favs
8 days ago by kohlmannj
signature on to the client.
They also proposed locking the signature to the IP that made the request. This would mean that as
from instapaper
8 days ago by mledu
Bold prediction: so far, we have uncovered roughly 40% of the mess video conferencing is security-wise
from twitter_favs
8 days ago by fkbarrett
Bold prediction: so far, we have uncovered roughly 40% of the mess video conferencing is security-wise
from twitter_favs
8 days ago by NeoNacho
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000…
from instapaper
8 days ago by adamlogic
RT : Vulnerability in the Mac Zoom client allows malicious websites to enable c ()
from twitter
8 days ago by ripienaar
This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
article 
8 days ago by mud
Eeeeuw. A local web server that continues to exist even after you uninstall the app, and can reinstall arbitrary versions of it? Zoom is a virus.
security  video  voice2  hacker  zoom  horrible  bug 
8 days ago by yorksranter

To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files.
To prevent this server from being restored after updates you can execute the following in your terminal:

security  zoom 
8 days ago by emerysnyder
All remote employees are going to have a bad day tomorrow because they had to uninstall today.
from twitter_favs
8 days ago by nigeljames
4+ Million Webcams & maybe an RCE? Just get them to visit your website!
security  app 
8 days ago by alastc
Terrible implementation aside, the way handled the whole thing made me lose trust in them.
from twitter_favs
8 days ago by andydavies
For now I suggest uninstalling the Zoom desktop client.
from twitter
8 days ago by iwaffles
RT : Got a Mac? Used Zoom video calling (ever)?

Read this:

TL;DR: You've been pwned. Uninstall…
from twitter
8 days ago by loughlin
This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. via Pocket
IFTTT  Pocket  security  vulnerability  zoom 
8 days ago by ChristopherA

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
from:workflow 
8 days ago by micktwomey
This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. On top of this, this vulnerability would have allowed…
8 days ago by lsrgt
Now that is quite something.
Security 
8 days ago by dominik
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000…
from instapaper
8 days ago by jasenpheffer