Zoom’s exposed
It has been discovered that the Zoom conferencing app contains a vulnerability which allows someone to take over your computer’s camera. This vulnerability is so bad it even remains after you have uninstalled the Zoom app.
So, in short, the malicious vulnerability gives permission to any website to join a user to a “Zoom call”, with their video camera activated without the user’s permission.
If you have ever installed the Zoom client and then tried uninstalling it, you probably still have a localhost web server on your machine, which allows you at any point to re-install the Zoom client. This re-install can occur without any user interaction on your behalf, well besides visiting a webpage. The re-install ‘feature’ tied into Zoom still works to this day.
Apparently…the folks over at Zoom didn’t take the issue seriously.
This vulnerability was first discovered and disclosed on March 26, 2019. The very first report included a proposed description of a ‘quick fix’ Zoom that could be implemented by simply changing the server’s logic. Zoom took roughly, around 10 days to confirm the vulnerability.
This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. Zoom made a meeting about the vulnerability and a patch would occur on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline.
All is well in Zoom land
Now it is known that Zoom has implemented the ‘quick fix’ solution originally suggested. So, Zoom is taking this seriously and fixing the issue.
If you have ever installed the Zoom client and then tried uninstalling it, you probably still have a localhost web server on your machine, which allows you at any point to re-install the Zoom client. This re-install can occur without any user interaction on your behalf, well besides visiting a webpage. The re-install ‘feature’ tied into Zoom still works to this day.