A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission.
– Jonathan Leitschuh, Zoom Zero Day
Yikes.
@Bruce Thanks. I've replaced it with the Medium shortlink, though idk if it'll appear in the timeline post.
The @ is a problem on the timeline akin to the former issue with _ being used in usernames.
@simonwoods Zoom have since offered a response which includes,
We do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client. The user needs to manually locate and delete those two apps for now. This was an honest oversight. As such, by this weekend we will introduce a new Uninstaller App for Mac to help the user easily delete both apps.
@simonwoods Yep, Medium is just so embracing of the open web.
Also, thanks for pointing this out. Riggs uses Zoom for family therapy and it’s on my mother’s computer. I screenshared in to kill the local server and change the setting that the author recommended.
@crossingthethreshold @simonwoods
so that's good :
”To be clear, Zoom honors the user’s Meeting settings. If the user has checked the video OFF option in their user settings, this cannot be overridden by the host or any other participant.”
also - i did a clean my mac check - deleted zoom, scanned. looked for malware etc etc
the terminal call still revealed the process
@simonwoods Would you even call that a vulnerability? It's by design that there is an invisible background process that will happily join any conference with video enabled.
@simonwoods @Bruce Probably the @ has to be percent-encoded; URL rules require it, but Postel’s Law means it often works raw.
Interestingly, I can’t find anything that offers that link; on his profile page, and on the article itself, the links are all to medium.com/bugbountywriteup/…
@simonwoods @Bruce I’m guessing they set up the redirect becasue of all the problems using @ in URL paths—which ironically means Jonathan Leitschuh has lost “ownership” of his article by publishing it on his Medium “blog” :-P
@jlsiewert @simonwoods If it does so without asking for permission—without _informed consent from the user—it’s a vulnerability even if it’s by design from the vendor’s POV, IMO. Especially if any site on the web can make it happen.