A video conversation software 'Zoom' is found vulnerable to camera activation without user permission
by
A vulnerability has been discovered in the Mac version of the software ' Zoom ' that enables real-time video conferencing and content sharing, where a malicious website is accessed by a camera without user's permission.
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Response to Video-On Concern-Zoom Blog
https://blog.zoom.us/wordpress/20019/07/08/response-to-video-on-concern/
Zoom security flaws lets hackers access Mac webcams-Vox
https://www.vox.com/recode/2019/7/9/20687689/zoom-mac-vulnerability-medium-jonathan-leitschuh-camera
The discovered Mac version Zoom vulnerability is that any web site can be enabled to force a camera to join a video conference without the user's permission. By exploiting this vulnerability, it was possible to launch a DoS attack by forcing users to join in an inactive video conference.
Furthermore, when using the Zoom specification to create a local server on a PC at the time of installation and receiving a request to forcibly start Zoom via a website, Zoom is automatically re-installed even after uninstallation. An operating system-independent vulnerability has been discovered that could lead to video conferencing.
By
Jonathan Wrightshoe, a security engineer, discovered the series of vulnerabilities. Wright Schuh discovered these vulnerabilities in March 2019, and notified Zoom on the correction plan taken by Wright Shooh himself on March 26 and the 'Publication Deadline' for the 90th. Yes. However, Zoom has given priority to 'the ability for users to join the meeting with one click', and it is said that these vulnerabilities were 'low risk' because there were no reports that this vulnerability was actually used. about.
According to Zoom's official announcement , the problem was fixed by a patch in May 2019. However, since this patch was applied for the first time by setting it, it turned out that the vulnerability was left by default. In addition, the fix that was supposed to be done on July 7 has been removed, and the vulnerability that allows the webcam to be launched without the user's permission has been restored. On July 8th, when the public disclosure deadline has passed, Mr. Lightshue has released a series of fixes for a series of problems and vulnerabilities.
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
A large number of users have protested following the announcement of Mr. Lightshue, and on July 9, 2019, one day after the announcement, Zoom released a patch to completely delete the local server. Also, Zoom announced on July 12, 2019 that it plans to release a fix that will always turn off the video.
Zoom's response to vulnerability reports has also been discussed. Zoom said that it would issue a bounty for reporting this kind of vulnerability, but this bounty was conditional on the 'must sign a non-disclosure agreement'. Matthew Garrett , a security engineer with Google, who has won the FSF Free Software Award , writes that Wrightshoo's 90-day disclosure deadline has 'generally followed the norm.' As Zoom is requesting that a confidentiality agreement be received to receive a bounty, 'If you think that raising your name as an engineer by announcing this issue, then requesting a confidentiality agreement is an incentive for vulnerability reporting. Imprisoning the work of
Lightshue commented on Twitter that 'This is unacceptable' when publishing the vulnerability.
Heads up @ zoom_us :
— Jonathan Leitschuh (@JLLeitschuh) July 7, 2019
The fix for the security vulnerability that impacts ~ 4 million of your users has regressed.
90-day public disclosure deadline was June 24th.
I'm going public tomorrow.
This is unacceptable.
Related Posts: