Serious Zoom Security Flaw Could Let Websites Hijack Mac Cameras (theverge.com) 54
Security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conference app on Macs that could allow websites to turn on user cameras without permission. The Verge reports: He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That's possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn't. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention. Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh's account, Zoom doesn't appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it's not an issue with their browsers, there's not much those developers can do. The report notes that you can "patch" the vulnerability by making sure the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting. "Again, simply uninstalling Zoom won't fix this problem, as that web server persists on your Mac," reports The Verge. "Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post."
Use the Oversight app (Score:5, Informative)
This is why I use the Oversight app by Objective See. It lets you know when something is accessing your webcam or microphone.
https://objective-see.com/prod... [objective-see.com]
Their other apps are amazing too, and they're all donation ware. Made by a guy who used to work at Apple.
https://objective-see.com/prod... [objective-see.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Can you trust the software? I'd at least like an indicator light controlled by firmware. But a stick on lens cap is cheaper and more reliable and perhaps the simplist user interface.
Re: (Score:2)
Tape doesn't block the microphones on your device. The only truely good option would be to have a physical switch that electrically and manually disconnects the webcam and microphones when you want them off.
Unfortunately, I don't know of one single laptop mfg that does that. The second best is to at least have a firmware controlled LED that lights up when either is active. My 2015 MBP has an LED for the webcam but not the microphones, and I don't know if that LED is tied directly to webcam activity.
Re: (Score:1)
Re:Use the Oversight app (Score:4, Interesting)
This is why I use the Oversight app by Objective See. It lets you know when something is accessing your webcam or microphone.
How many times has it triggered?
Which apps / sites triggered it?
Why Zoom when webRTC is built in? (Score:1)
I keep wondering why people install apps when modern browsers have things like webRTC built into them. WHy Skype or Zoom or goToMeeting when there's WebRTC? What's the benefits?
Re: (Score:1)
WebRTC is a protocol (like TCP/IP and HTTP) but it does nothing for managing contacts, recording historical conversations, or conducting advanced features like remote-control assistance or user polling. Those features require some multi-channel platform.
Re: (Score:2)
Because you're being an idiot. That extension - because of sandboxing - cannot access your contact list, your appointments, etc. That's the point, idiot.
It seems overkill to install an app when all that is needed is to transfer a contact list. You are giving them the keys to the kingdom and as the error shows they are leaving the backdoor open. Uploading a contact list would be a much nicer solution.
Re: (Score:1)
Because some people's employers require it for meetings.
Re:Why Zoom when webRTC is built in? (Score:5, Informative)
My employer uses Zoom for meetings, and when you use a Zoom link, it tries to get you to install their application, but if you pay attention, you can skip that and just do it all in the browser, and it works great. I've seen no reason to install their software.
Re: (Score:2)
I tried that, but I've found that over lower-bandwidth connections, it tends to bog down pretty hard (you can only listen to someone's voice rubber-banding for so long before it becomes a massive irritant.)
Re: (Score:2)
I keep wondering why people install apps when modern browsers have things like webRTC built into them. WHy Skype or Zoom or goToMeeting when there's WebRTC? What's the benefits?
The fact that you're point out just a protocol (and not product) aside...
Because of stupid/cheap partners who you spend a zillion dollars with, yet they insist you use their Zoom app. Because vendors want to use it, and suddenly have all kinds of problems using Webex like normal people do. Because some cheapskate PHB in your multi-billion-dollar employer went 'oooh!' and 'ahh!' at the pretty UI, and now they demand that the rest of the corp (including *you*) use stuff like Zoom... and they're high up enough
Re: (Score:1)
You know I saw one of these given away as conference schwag from some ad company, and after a cursory inspection, I could tell it did not entirely block bright light sources.
My advice is: Stick to using black electrician's tape.
Re: (Score:1)
I'd love to have a physical slider that disconnects the non-removable battery from the circuit on any tablet, phone, or laptop that has a non-removable battery. You can 'shut down' your tablet, but unless you store it plugged into a charger it runs the battery down to zero in a matter of weeks.
I'm surprised there aren't attractive opaque metal foil labels on the market for people to stick over their camera. It could become a trendy thing to display on your gadget.
Re: (Score:2)
"I'm surprised there aren't attractive opaque metal foil labels on the market for people to stick over their camera"
Dude, they literally sell sliding shutter stickers. Prop that rock up, and crawl outta there.
Re: (Score:2)
https://arstechnica.com/tech-p... [arstechnica.com]
I've just always had foil tape over mine forever.
Re: (Score:2)
The Rand Paul presidential campaign last cycle sold the camera blockers/sliders.
https://arstechnica.com/tech-p... [arstechnica.com]
I've just always had foil tape over mine forever.
Did you spring for the matching hat?
Re: (Score:2)
Re: (Score:2)
From a Wired article [wired.com], Apple
... will now include a mechanism to cut off a laptop's microphone at a hardware level whenever the lid is closed. This means that no matter what malware might be running on a device—and no matter how much device access and control that malware has—there won't be a way for it to use software tricks to keep your mic listening after you close your computer.
That's a step in the right direction. Now Apple, when you manufacture computers, please put in physical sliders or buttons that let us physically disable the camera and microphone at any time (not just when the lid is closed).
How to disable Zoom (OSX) (Score:5, Informative)
From the Medium post:
# Disable automatic video start for all users:
sudo defaults write
# Get the webserver process ID
lsof -i
# Kill the webserver process, where $pid is the PID listed from above
kill -9 $pid
# Cleanup the zoom directory, prevent recreate
rm -rf ~/.zoomus
touch ~/.zoomus
# Optionally delete the zoom.us app from Applications
Let them.... (Score:3, Funny)
Yeah...itâ(TM)s real (Score:3)
I just discovered it on my Mac. It was installed for a recent job interview.
Terminated with extreme predictive.
Shit like this pisses me off.
Re: (Score:2)
"Terminated with extreme predictive."
I see you also like to lube degenerates.
Zoom's response (Score:1)
https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
This is a bullshit vuln (Score:4, Insightful)
The risk here is that somebody will trick you into starting a zoom session with you, and you won't notice, despite that the app will pop up when you click on the link, and despite that the camera light will come on.
This is not a zero-day. This is not a root exploit. This is a trojan horse, and not a very effective one—it can't install itself and persist. It is deeply unfortunate that this is being described as a "zero-day exploit." The effect that disclosures like this have is to make us stupider, not smarter.
Re: (Score:1)
I think the bigger news is this little web server that was installed without any documentation that never cleans itself up.
Re: (Score:2)
All it can do though is maybe install a potentially infected Zoom client. But the Zoom client itself does not really have any special permissions.
I agree, I don't see much to be concerned about here...
Re: This is a bullshit vuln (Score:2)
In what sense was it buggy? Every app you run on your Mac thatâ(TM)s not sandboxed has the same access. Why is this different?
Re: (Score:2)
Re: (Score:2)
I do network security for a living. I quite clearly understand the implications of lots of security problems, including this one. If you think there is something incorrect about what I said, feel free to correct me. If you review, you will find that I actually explained why I think this is bullshit—I didn't just assert it was bullshit, as you seem to be doing here.
Physical security (Score:2)
My webcam has a flap of cardboard over it at all times except when I decide I want to use it. I suppose a trojan could still watch me during the times I uncover it, but the scope for damaging exploits is considerably reduced.
Re: (Score:2)
What the mic(rophone)? :(