Video conferencing app Zoom has a major security flaw in its Mac client,xvideos erotice debt letting any website turn on your Mac's camera without a warning, security researcher Jonathan Leitschuh claims.
In a blog post Monday, Leitschuh detailed the vulnerability, which he says he'd disclosed to Zoom more than 90 days ago, and the company still hasn't fixed it.
SEE ALSO: Google Nest camera security flaw allows former owners to observe others' homesThe problem lies in Zoom's usage of a web server on users' local machines. This makes some of Zoom's cool features possible, for example, clicking on a simple link in your web browser automatically starts up the app.
Having an app install and run a web server on a user's machine with an undocumented API "feels incredibly sketchy," Leitschuh says. But there's more. According to Leitschuh, "this web server can do far more than just launch a Zoom meeting. (...) this web server can also re-install the Zoom app if a user has uninstalled it."
This is bad by itself, but Leitschuh discovered a vulnerability that let him launch a Zoom call, with video enabled, on a user's machine without permission. The same vulnerability allows the attacker to perform a DOS (denial of service) type attack on a user's machine.
Leitschuh says that he'd contacted Zoom on March 26, offering the company a quick fix for the vulnerability. After a lot of back and forth, Zoom partially fixed the flaw, but Leitschuh was able to bypass their fix, after which the company offered no additional fix. The security issue is still present in the latest version of Zoom for Mac, 4.4.4.
In a blog post Monday, Zoom defended its app's functionality, claiming that users are prompted to turn their video off when joining their first meeting, and can set the video to off in subsequent meetings; if they do so, it would be impossible for the host or other participants to turn their camera on. Furthermore, Zoom claims, "because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately."
The company said they will give users more control of their video settings in an upcoming, July 2019 release.
The company also addresses the presence of the web server on user machines, saying it's a "workaround to a change introduced in Safari 12" and a "legitimate solution to a poor user experience problem."
Zoom has assessed that both the video call issue and the DOS issue were "low risk," which is why the company decided not to change the app's functionality. The company also promised it will launch a public vulnerability disclosure program in the "next several weeks."
The main question users should be asking themselves is whether they want to sacrifice their system's security for a bit of added functionality -- likely, functionality they can live without. Zoom's ability to re-install itself without user permission after it's been uninstalled is particularly worrisome. Since there's no official fix for the issue, you can remove Zoom's web server from your machine by following the steps described in Leitschuh's post.
Topics Cybersecurity
Best vacuum mop combo deal: Save $140 on the Tineco Floor One S5
SpaceX returns to flight in style, launching satellites and landing another rocket
NYT's The Mini crossword answers for January 28
iOS 17.4 code may have accidentally revealed new iPad Pro camera feature
The State of PC Gaming in 2016
Porn by Polly Barton
Love Songs: “Mississippi” by Sophie Haigney
iOS 17.4 code may have accidentally revealed new iPad Pro camera feature
Watch how an old Venus spacecraft tumbled before crashing to Earth
A Hall of Mirrors by Gary Indiana
8 Years Later: Does the GeForce GTX 580 Still Have Game in 2018?
iOS 17.4 beta: 5 new features coming to your iPhone
Love Songs: “Hang With Me” by Elisa Gonzalez
Announcing Our Seventieth
Weather app glitch makes it look like hell is basically freezing over
Wordle today: The answer and hints for January 29
Tillerson is dead wrong in what he told the Senate on climate science
The era of the AI
Outdoor speaker deal: Save $20 on the Soundcore Boom 2
My Rattling Window by Sophie Haigney
The Story Behind Chicago Cubs Fans' W FlagsNo, Tristan Thompson did not get a Khloe Kardashian back tattooDorm neighbors exchange honest notes about tooTaylor Swift presents at the CMAs because you can't take the country out of the girlFacebook says 40 million people are now using Internet.orgYou won't see a supermoon like this for decadesFacebook's Wall Street fairy tale is coming to an endGawker will settle with Hulk Hogan for $31 millionFashion ecommerce star pranks Facebook in the name of tech educationPSA: If you've got a 2ndIt's a snake eat snake world out there, as this guy's photos clearly showThis is why you can't stop checking your emailThis is why you can't stop checking your emailAlton Sterling's son spent his 16th birthday with Kanye West and Kim KardashianAmazon has patented tiny drones that can ride with policeTwitter users want to trick Clinton supporters to 'vote' via textAmazon reportedly plans to launch Prime, Amazon Fresh in SingaporeNo, Tristan Thompson did not get a Khloe Kardashian back tattoo'Parks and Rec' predicted the Cubs' win'Brexit' tops the list of Collins Dictionary's 2016 words of the year Watch Janet Jackson surprise a superfan dad at her show Marvel told the 'Maus' author his 'Orange Skull' Trump joke wasn't OK Harry Potter fans think Elizabeth Warren has Big McGonagall Energy Wordle today: Here's the answer, hints for December 21 'Quordle' today: See each 'Quordle' answer and hints for December 27 'Sexy pavement lichen' is the latest thing we apparently need to be told not to eat People are mocking that viral Instagram hoax with hilarious parodies 'Quordle' today: See each 'Quordle' answer and hints for December 24 Netflix is adding fitness content from Nike Training Club Adele only needs 1 Instagram post to prove she’s having a better summer than you Instagram is finally taking memes seriously. Here's why. Meta launches new tool to help hacked Instagram users The best British TV shows of 2022 I choose to believe that Hillary Clinton wants 'Truth Hurts' to be the national anthem TikTok will now explain your FYP recommendations How to declutter your kids' art and craft boxes Extreme polar cold is about to pummel the U.S. over the holidays The #GreenShirtGuy laughing at pro Gordon Ramsay wants to know why he’s all alone in this school lunch meme Watch Simone Biles make history (again) with never
1.3499s , 10193.8515625 kb
Copyright © 2025 Powered by 【xvideos erotice debt】,Miracle Information Network