قالب وردپرس درنا توس
Home / Technology / The zoom vulnerability could cause websites to turn on your Mac's webcam without permission

The zoom vulnerability could cause websites to turn on your Mac's webcam without permission



A fatal zero-day vulnerability was reported in the Zoom video conferencing app on the Mac.

Security researcher Jonathan Leitschuh outlined in an in-depth review the flaws that allow websites to hijack your Mac's camera and "forcefully" connect to a zoom call without your permission.

Approximately four million Zoom users are on a Mac.

How the vulnerability works is as follows Zoom provides users with an easy way to dial into videoconferencing at the touch of a finger – such as https://zoom.us/j/999999999, where & # 39; 999999999 & # 39; is a random 9-digit meeting ID that expires after the meeting expires.

This ensures that as long as the zoom is active the app runs in the background. When you open the meeting link in your browser, the Zoom client on your Mac automatically launches.

Leitschuh noted that this feature was not implemented safely. Not only does a user automatically join a zoom conference call by clicking on the meeting link when the video camera is on, but also when the zoom app is no longer installed.

This behavior occurs because when you install the Zoom App, it also installs a Web server locally to accept meeting requests. The worrying thing is that after uninstalling the app, the server still exists and Zoom can be reinstalled without your intervention.

This is effectively to exploit this vulnerability. An attacker would only need to create an invite link through his account on the Zoom Web site as a malicious ad in one Embed website and mislead the target to visit this website.

However, the camera may be turned off if you turn on the "Turn off my video when attending a meeting" option.

Leitschuh originally reported the error on March 26, 2019, but mentioned the first actual meeting on how to fix the vulnerability on June 11, 2019, just 18 days before the 90-day deadline.

The timeline in the middle post shows that Zoom has resolved the vulnerability on June 21. However, a regression earlier this month caused the error to recur. Zoom was again prompted to fix the problem yesterday.

"Zoom has been patched in the end This vulnerability only prevented the attacker from turning on the user's video camera. You did not disable the ability of an attacker to forcibly join a phone call visiting someone visiting a malicious website, "Leitschuh wrote.

The idea that any website you visit from a Mac has the ability to activate your video camera via an unauthorized zoom call is by default alarming. Zoom has replied that " Video by default does not appear as a security hole " and that users can make their own video settings.

Zoom also indicated that the local web server was developed As a workaround for changes added to Apple's Safari browser that prompted Zoom users to confirm each time they clicked on a meeting link to start the app ,

"The local web server automatically accepts peripheral access for The user should avoid this extra click before joining a meeting. "