Shulou(Shulou.com)05/31 Report--

It was reported late last night that the Zoom Mac app had discovered a major loophole that basically allowed some websites to hijack computers' webcams. Security researcher Jonathan Leitschuh discovered the zero-day vulnerability, which he first reported to Zoom in March. Leitschuh recently posted details of the vulnerability on his Medium account and described in detail how the vulnerability works and how it can harm Zoom users.

In general, when the videoconferencing application Zoom is installed on Mac, the Web server will also be installed directly on the computer. According to a report by The Verge, this actually "accepts a request that a normal browser would not accept." The web server runs as a background process, which makes it possible to force users to join Zoom calls without user permission and camera activation.

In the initial "medium" post, a link was provided to test this vulnerability. Doing so will cause the user to join the conference call, and the camera has been activated, but the user does not accept it directly.

To make matters worse, because the Web server is installed directly on the computer, it still exists even if the Zoom application is uninstalled. This means that the vulnerability is still valid even if users no longer install Zoom.

As mentioned above, Leitschuh notified Zoom of the vulnerability as early as March, and researchers summed up a detailed timetable for all this before it was publicly disclosed on Monday night. According to Leitschuh, he repaired and returned on 8 July, but he was able to find a solution soon.

More importantly, Leitschuh said that Zoom does not implement a valuable automatic update process, which means that many wild Zoom users may be using older versions of the software and are fully capable of running this vulnerability.

Zoom has now resolved the issue and sent an update to resolve the issue:

A patch for the Zoom app on Apple's device was released on July 9, with details below. You may see a pop-up window in Zoom to update the client, which can be downloaded from zoom.us/download, or open the Zoom application window, click zoom.us in the upper-left corner of the screen, and then click to check for updates. Check for updates.

The company has a complete blog post on the matter. If you are a Zoom user, it is definitely worth a try. However, here is a small clip that the company points out that it can automatically activate and join a video conference when the camera disables the zoom client:

This week, a researcher published an article that drew attention to our video experience. He is worried that if the attacker can induce the target Zoom user to click on the Web link to the attacker Zoom Meeting ID URL, the target user may unknowingly join the attacker's Zoom Meeting. If a user joins the meeting without configuring their Zoom client to disable video, an attacker may be able to view the user's video source. It is worth noting that we have no indication that this has ever happened.

With this in mind, we decided to give users more control over video settings. As part of our upcoming release in July 2019, Zoom will apply and save users' video preferences from the first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn off video when joining a meeting. This change will apply to all client platforms.

Now, if you're curious and want to check for Zoom vulnerabilities and how to clean it up (and you don't mind using terminal applications), Glen Maddern's posts on Twitter are a good starting point:

Zoom is considered to be one of the best video conferencing applications and services, but it is a huge loophole. Nonetheless, Zoom may rebound soon, especially if it can upgrade its automatic update mechanism to actually ensure that the new patch runs on more computers.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.