Zoom vulnerability lets websites switch on Mac users' webcams

Zoom vulnerability lets websites switch on Mac users' webcams”

As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.

Video conferencing app Zoom has a major security flaw in its Mac client, letting any website turn on your Mac's camera without a warning, security researcher Jonathan Leitschuh claims. Obviously, this vulnerability is something malicious snoopers and cyber pranksters could exploit.

As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days.

Worse still, the local web host remained even if a user is no longer using Zoom, since the host is not removed along with the Zoom installation. And having a web server on a local machine is also pretty dodgy as it opens up that computer to all manner of cyber nasties, notably denial of service attacks if a hacker was to spam the local web server with repeated GET requests.

In a blog post, Mr Leitschuh discovered that Zoom achieves insecurely, allowing websites to join you to a call by activating your webcam without permission. The release will let first-time users who click on the "Always turn off my video" box have their video preference saved automatically. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user's video feed.

A Zoom spokesperson responded, saying as part of its July 2019 that it would apply and save the user's video preference from their first meeting to all future meetings, and would evaluate other similar features.

More news: Deutsche Bank lay off affects 18,000 employees in Bengaluru, New York, Sydney

As Leitschuh explains, the vulnerability stems from Zoom's quest for simplicity. See below for how to prevent Zoom turning on your camera by default when you join a meeting.

A series of discussions with Zoom's security team followed, he added, which led the company to propose what Mr Leitschuh described as a "quick fix". Otherwise, for users familiar with the Mac's Terminal app, Letischuh outlines how you can disable the web server yourself.

While those using Zoom on company-owned machines - usually managed by an office's IT administrator - may not have the ability to uninstall Zoom themselves, changing the settings related to your webcam is easy enough.

But of course, not everyone will have selected to turn off video when joining a meeting. The post went on to stress that "the host or any other participant can not override a user's video and audio settings to, for example, turn their camera on". The patch also allows users to completely uninstall the app. It is hard to understand how Zoom's security officer can justify risks like these in the name of avoiding "poor user experience". In an update to Zoom's big blog post about the flaw, the company stated a patch coming tonight (July 9) at or before 3 a.m. EST/midnight PST will solve things.

The archetypal Mac user is well accustomed to thinking that an app is uninstalled by click-dragging it into the trashbin, without leaving behind any traces of code that can take autonomous decisions, such as reinstalling an app, without explicit approval.

An update to Zoom has been rolled out that changes the way links for meetings are set up and that ensures video is turned off as a default, it said.

Like this



10 July 2019
Labour hit by 'civil war' claims amid rows over anti-Semitism and Brexit
Deputy leader Tom Watson described using "expensive media lawyers" as "as futile as it is stupid" and "not the Labour way". Another former aide also received warnings previous year from a different law firm representing Labour, the paper said.

10 July 2019
Cisco Acquisition Sends Acacia Communications Shares into Orbit
In 2018, Acacia posted a net income of only $5 million, as sales dipped 12 per cent on the prior year's total, to $340 million. Cisco is paying $70 per share for Acacia, which traded higher by 35% on Tuesday morning following the announcement.

10 July 2019
China's producer prices up 0.3% in H1
The change in the PPI was the lowest since August 2016 when the index last fell year-on-year. Non-food prices rose 1.4 percent year on year, 0.2 percentage points lower than that of May.

10 July 2019
Oil edges up on supply cuts; trade worries limit gains
West Texas Intermediate (WTI) crude futures rose 40 cents, or 0.7%, to $57.93 a barrel. Strong U.S. economic data also put a floor under prices.

10 July 2019
National Basketball Association free agency rumors: Raptors reportedly sign Rondae Hollis
With OG Anunoby and Johnson already in the rotation, it'll be interesting to see what Nurse does with all of his new options. Hollis-Jefferson was just 9 of 49 from 3-point range last season, dropping his career percentage to 22.3 (41 of 184).

10 July 2019
Investigators recover helicopter that crashed in Bahamas
Then Delaney "went to the Bahamas to meet her childhood best friend", Kameron Cline, whom she had not seen in about a year. The heiress's best friend insisted on coming along in case she could lend a hand, Wykle's mother said.

10 July 2019
How Suits will deal with Meghan Markle's character in series' final season
A royal source said: "Rescue dogs are a huge passion for her so the pull to adopt rather than buy a puppy is far stronger". PR consultant Sally Jones was in the same row as Meghan and her friends and confirmed staff asked them not take photos.

10 July 2019
Trump tweets likely end UK ambassador’s job
Trump fired back at the "wacky ambassador" on Tuesday, calling him a "very stupid guy" and a "pompous fool". May's spokesman James Slack, for his part, vowed that "strong" UK-US ties will continue despite the leak.

10 July 2019
Knicks Roster & Starting Lineup if Marcus Morris Signs
Free agent forward Marcus Morris averaged 13.9 points and 6.1 rebounds with the Celtics last season. If Morris backs out of a Spurs deal, there will be some roster carnage left in his wake.

10 July 2019
Maybe I’m super strong - Serena Williams baffled by Wimbledon fine
Williams, the 11-seed, dismantled Carla Suarez Navarro 6-2, 6-2 to move one step closer to her eighth Wimbledon crown at age 37. Williams' potential opponents in the final are No. 7 Simona Halep and No. 8 Elina Svitolina , who meet in the other semifinal.