Zoom vulnerability lets websites switch on Mac users' webcams

Zoom vulnerability lets websites switch on Mac users' webcams”

As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.

Video conferencing app Zoom has a major security flaw in its Mac client, letting any website turn on your Mac's camera without a warning, security researcher Jonathan Leitschuh claims. Obviously, this vulnerability is something malicious snoopers and cyber pranksters could exploit.

As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days.

Worse still, the local web host remained even if a user is no longer using Zoom, since the host is not removed along with the Zoom installation. And having a web server on a local machine is also pretty dodgy as it opens up that computer to all manner of cyber nasties, notably denial of service attacks if a hacker was to spam the local web server with repeated GET requests.

In a blog post, Mr Leitschuh discovered that Zoom achieves insecurely, allowing websites to join you to a call by activating your webcam without permission. The release will let first-time users who click on the "Always turn off my video" box have their video preference saved automatically. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user's video feed.

A Zoom spokesperson responded, saying as part of its July 2019 that it would apply and save the user's video preference from their first meeting to all future meetings, and would evaluate other similar features.

As Leitschuh explains, the vulnerability stems from Zoom's quest for simplicity. See below for how to prevent Zoom turning on your camera by default when you join a meeting.

A series of discussions with Zoom's security team followed, he added, which led the company to propose what Mr Leitschuh described as a "quick fix". Otherwise, for users familiar with the Mac's Terminal app, Letischuh outlines how you can disable the web server yourself.

While those using Zoom on company-owned machines - usually managed by an office's IT administrator - may not have the ability to uninstall Zoom themselves, changing the settings related to your webcam is easy enough.

But of course, not everyone will have selected to turn off video when joining a meeting. The post went on to stress that "the host or any other participant can not override a user's video and audio settings to, for example, turn their camera on". The patch also allows users to completely uninstall the app. It is hard to understand how Zoom's security officer can justify risks like these in the name of avoiding "poor user experience". In an update to Zoom's big blog post about the flaw, the company stated a patch coming tonight (July 9) at or before 3 a.m. EST/midnight PST will solve things.

The archetypal Mac user is well accustomed to thinking that an app is uninstalled by click-dragging it into the trashbin, without leaving behind any traces of code that can take autonomous decisions, such as reinstalling an app, without explicit approval.

An update to Zoom has been rolled out that changes the way links for meetings are set up and that ensures video is turned off as a default, it said.

Like this



10 July 2019
Android Q nerfs gesture navigation if you use a third-party launcher
With Android Q , Google aims to provide a true gesture navigation experience with much smoother transitions and new features. Namely, that's the 2-button navigation centered around a central pill-shaped icon and a "back" key.

10 July 2019
Google and Amazon bring the YouTube app back to Fire TV
Amazon Prime members will also be happy to hear that Amazon's Prime Video now works with Chromecast. On Tuesday Amazon and Google announced that YouTube will return to Amazon's Fire TV lineup today.

10 July 2019
Deutsche Bank lay off affects 18,000 employees in Bengaluru, New York, Sydney
Nine investment analysts have rated the stock with a sell rating and ten have assigned a hold rating to the stock. DekaBank Deutsche Girozentrale boosted its position in Deutsche Bank by 12.0% during the first quarter.

10 July 2019
Zion's Summer League exit just 'precautionary'
Williamson is not expected to play for the Pelicans again this summer. "Now I just hone my craft and get ready for the season". The Pelicans wrap up their Las Vegas commitments on Wednesday when they face the Cleveland Cavaliers.

10 July 2019
Labour hit by 'civil war' claims amid rows over anti-Semitism and Brexit
Deputy leader Tom Watson described using "expensive media lawyers" as "as futile as it is stupid" and "not the Labour way". Another former aide also received warnings previous year from a different law firm representing Labour, the paper said.

10 July 2019
Bosco Martis shares an important message for Shahid Kapoor
To not only be burdened by the need to be loved to be a star but to have the courage to be hated in equal measure to be an actor. As Kabir Singh becomes the highest-grossing film of the year today, it also emerges the 10th highest grossing Hindi film ever.

10 July 2019
Joe Taslim to portray Sub-Zero in 'Mortal Kombat' reboot
The film is set to shoot in South Australia later this year, an individual with knowledge of the project tells TheWrap. The Mortal Kombat reboot is helmed by James Wan who is known for his work on Furious 7 , The Saw and Aquaman .

10 July 2019
Beyoncé to drop new original song from 'The Lion King'
Before then, revisit Elton John's iconic " Can You Feel the Love Tonight " from the 1994 animated first incarnation of the film. On the same, she further continued, "I wanted to put everyone on their own journey to link the storyline".

10 July 2019
Investigators recover helicopter that crashed in Bahamas
Then Delaney "went to the Bahamas to meet her childhood best friend", Kameron Cline, whom she had not seen in about a year. The heiress's best friend insisted on coming along in case she could lend a hand, Wykle's mother said.

10 July 2019
Trump tweets likely end UK ambassador’s job
Trump fired back at the "wacky ambassador" on Tuesday, calling him a "very stupid guy" and a "pompous fool". May's spokesman James Slack, for his part, vowed that "strong" UK-US ties will continue despite the leak.