experchange > mac.apps

Arlen G. Holder (07-09-19, 06:05 AM)
Yet more proof, if any is needed, that privacy is "about the same" for all
the common consumer compute platforms - simply due to a lack of testing on
the part of the app makers themselves, in this case...

A vulnerability in the Mac Zoom Client allows any malicious website to
enable your camera without your permission. The flaw potentially exposes up
to 750,000 companies around the world that use Zoom to conduct day-to-day
business.

Serious Zoom security flaw could let websites hijack Mac cameras
<https://medium.com//zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5>

Not only does this vulnerability allow any website to forcibly join a user
to a Zoom call, with their video camera activated, without the user's
permission, but this vulnerability also would have allowed any webpage to
DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid
call.
<https://www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras>

But, it gets even worse than that!

Additionally, if you¢ve ever installed the Zoom client and then uninstalled
it, you still have a localhost web server on your machine that will happily
re-install the Zoom client for you, without requiring any user interaction
on your behalf besides visiting a webpage. This re-install ¡feature¢
continues to work to this day.
Arlen G. Holder (07-11-19, 06:27 AM)
Apple is silently removing Zoom¢s web server software from Macs
<https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability>

Although Zoom itself issued an emergency patch yesterday to remove that web
server, apparently Apple is concerned that enough users won't update or are
unaware of the controversy in the first place that it's issuing its own
patch.
Similar Threads