Video conferencing app Zoom has a major security flaw in its Mac client,top phim khiêu dam c?a pháp letting any website turn on your Mac's camera without a warning, security researcher Jonathan Leitschuh claims.
In a blog post Monday, Leitschuh detailed the vulnerability, which he says he'd disclosed to Zoom more than 90 days ago, and the company still hasn't fixed it.
SEE ALSO: Google Nest camera security flaw allows former owners to observe others' homesThe problem lies in Zoom's usage of a web server on users' local machines. This makes some of Zoom's cool features possible, for example, clicking on a simple link in your web browser automatically starts up the app.
Having an app install and run a web server on a user's machine with an undocumented API "feels incredibly sketchy," Leitschuh says. But there's more. According to Leitschuh, "this web server can do far more than just launch a Zoom meeting. (...) this web server can also re-install the Zoom app if a user has uninstalled it."
This is bad by itself, but Leitschuh discovered a vulnerability that let him launch a Zoom call, with video enabled, on a user's machine without permission. The same vulnerability allows the attacker to perform a DOS (denial of service) type attack on a user's machine.
Leitschuh says that he'd contacted Zoom on March 26, offering the company a quick fix for the vulnerability. After a lot of back and forth, Zoom partially fixed the flaw, but Leitschuh was able to bypass their fix, after which the company offered no additional fix. The security issue is still present in the latest version of Zoom for Mac, 4.4.4.
In a blog post Monday, Zoom defended its app's functionality, claiming that users are prompted to turn their video off when joining their first meeting, and can set the video to off in subsequent meetings; if they do so, it would be impossible for the host or other participants to turn their camera on. Furthermore, Zoom claims, "because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately."
The company said they will give users more control of their video settings in an upcoming, July 2019 release.
The company also addresses the presence of the web server on user machines, saying it's a "workaround to a change introduced in Safari 12" and a "legitimate solution to a poor user experience problem."
Zoom has assessed that both the video call issue and the DOS issue were "low risk," which is why the company decided not to change the app's functionality. The company also promised it will launch a public vulnerability disclosure program in the "next several weeks."
The main question users should be asking themselves is whether they want to sacrifice their system's security for a bit of added functionality -- likely, functionality they can live without. Zoom's ability to re-install itself without user permission after it's been uninstalled is particularly worrisome. Since there's no official fix for the issue, you can remove Zoom's web server from your machine by following the steps described in Leitschuh's post.
Topics Cybersecurity
Previous:New Cast, New Energy
Next:Dota 2 и Counter
Deadlock стала самой желанной игрой в Steam
Arkadium mini crossword answers for December 2
The best Cyber Monday Apple deals at Amazon
Get 20% on some of Solo Stove's most innovative products.
Hirahara to Discuss ‘Hiroshima Boy’ at JANM
4 Cyber Monday laptop deals I can't stop thinking about
Best gift card deal: A $100 DoorDash gift card is down to just $85 at Best Buy.
Why is a smoking duck all over my timeline?
‘Ramen Heads’ Screening at Nuart
Wordle today: The answer and hints for December 2
Riverside Love Story, an Artist
Shark vs. Dyson: Which cordless vacuum should you get?
1000th Wordle has people sharing their scores online. Can you beat it?
Best Cyber Monday gaming laptop deals at Amazon: Save up to $600 while deals last
‘When Women Rule the Court’ Book Event at GVJCI
Cyber Monday Kindle book deals: Save 80% on popular reads
Apple's Lightning AirPods Max hit a new record low during Best Buy's Cyber Monday sale
Best pet deal: Save 20% on select items at Fable Pets
Hirahara to Discuss and Sign ‘Hiroshima Boy’
2024 Cyber Monday ads: Target, Best Buy, Walmart, Home Depot
Anthony Scaramucci burns every bridge in wild new interviewThere's no ban on carrying comics—or any other type of books—in checked bagsStop hating on wearables, they helped me finish an IronmanJohn McCain, ever the political dramatist, has always understood the value of TV comedyThe secret lexicon of the Kardashians' Instagram commentsAdorable kitten travels the world in an epic Photoshop battleWhen you want to cause a political scandal but you play yourselfThe title of Hillary Clinton's upcoming campaign memoir has been unveiledWhat is an Airbnb 'superhost' exactly? It has to do with hospitality, not safetySend help. An 'unusually aggressive squirrel' is terrorizing Brooklyn. The OLED Burn If You Should Fall Tour de France 2025 livestream: Watch Tour de France for free Truth Is Never Finished When is 'Sinners' streaming? How to watch the smash horror hit at home. Probably Oblivion A NASA probe has just spilled secrets about Jupiter and a fiery moon Best early Prime Day Samsung Galaxy deals: Shop Galaxy Buds, Galaxy Tabs, and more Three Stories Abundance Mindset
0.2036s , 8093.0546875 kb
Copyright © 2025 Powered by 【top phim khiêu dam c?a pháp】Zoom lets a website turn on your Mac's camera without permission,Feature Flash
