Sunday, May 29, 2022

Macs vulnerable to ‘bananas’ Zoom video flaw

Hackers could access cameras on millions of Apple Macs thanks to a vulnerability in Zoom’s video-conferencing software, a security researcher has found. Jonathan Leitschuh uncovered a way to force almost any Mac that has Zoom’s app installed to join a video call. One tech veteran who found he was at risk called the flaw “bananas”. Zoom disagreed about the severity of the issue but has updated its software so it is harder to abuse.

Bug handling

Mr Leitschuh said the problem arose because of the way Zoom sets up meetings and video-conferences. Generally, he said, this involves an organizer sending a web link to other people that they simply click on to join the meeting.

To make joining meetings easier, the Zoom Mac software puts a web server on every machine it is installed on. This handles the tricky job of interpreting the clicked link and connecting all the different machines together. Not all Macs were vulnerable, said the researcher. Only those users who did not change a setting that turned off video when they joined a meeting were at risk, he said. Hackers could exploit the flaw by putting booby-trapped code on websites that connected to the hidden web server when victims click on them.

“This Zoom vulnerability is bananas,” wrote blogging pioneer Matt Haughey on Twitter. He said he clicked one of the proof-of-concept links Mr Leitschuh supplied and connected to three other people “freaking out about it in real time”. Mr Leitschuh discovered that the web server is standalone software that persists on Macs even if the main Zoom software is removed. In his blog, he provided instructions on how to manually uninstall the server.

The problem does not occur on Windows machines because they handle Zoom meeting links in a different way. In his blog, the security researcher said he first contacted Zoom about the problem in late March warning it that he planned to go public with the information in 90 days. A series of discussions with Zoom’s security team followed, he added, which led the company to propose what Mr Leitschuh described as a “quick fix”.

Zoom disputed this version of events and said it had engaged with Mr Leitschuh within “minutes” of being told about the flaw. It said it would be “readily apparent” that anyone had fallen victim because the Zoom video application is programmed to be the foremost window on a user’s screen. It added that it had “no indication” that any of its millions of users had fallen victim in this way and said it disagreed with Mr Leitschuh about the “severity” of the issue. An update to Zoom has been rolled out that changes the way links for meetings are set up and that ensures video is turned off as a default, it said. Zoom also planned to set up a public bug bounty programmer that will pay researchers for finding flaws. Currently, Zoom runs an invitation-only bug hunting scheme.

More from author

ISIS leader Abu Bakr al-Baghdadi is dead

For all the attention, invention and investment that the U.S. intelligence community devotes to spy satellites, communications...

Paul Pogba: Man Utd midfielder has agenda against him – Ole Gunnar Solskjaer

Manchester United boss Ole Gunnar Solskjaer says Paul Pogba has "never been a problem" and there is...

Mulan: Disney aims to win over China with second take on the legend

There won't be songs or talking dragons, and the film's antagonist will be a Chinese sorceress, not...

1 COMMENT

  1. This design is wicked! You certainly know how to keep a
    reader amused. Between your wit and your videos, I was almost moved to
    start my own blog (well, almost…HaHa!) Great job.
    I really loved what you had to say, and more than that, how you presented
    it. Too cool!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trends Now





Ukrainian passenger plane crashes in Iran killing all 176 aboard

A Boeing 737 with 176 passengers on board crashed this morning at Tehran airport shortly after takeoff. Rescue crews found the black box of the...

ONLINE GAMING

Online gaming is the action or practice of playing video games either totally or partially through the internet or any other computer network available....

Strength training for the buttocks muscles

The buttocks muscles not only offer you an aesthetic posterior, but are equally important for the overall functioning of the entire lower chain. You...

Trump can’t deport coronavirus, which is no longer a Chinese issue

In a speech that sowed fear and confusion, US President Donald Trump announced the introduction of a travel ban for citizens of most European...
%d bloggers like this: