.png "back to home page")
:no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/18297192/1_mRgy9JoJKkjSRp_xjSYomw.png)
Serious Zoom security flaw could let websites hijack Mac cameras https://t.co/PmVsQupViY pic.twitter.com/YYMoKteyuu
— The Verge (@verge) July 9, 2019
“the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom that web server persists and can reinstall Zoom without your intervention.” https://t.co/sjKQJlsZpA
— Chris Wysopal (@WeldPond) July 9, 2019
Sometimes “easy” and “free” can be really expensive – it could come at the cost of giving up your confidential information. https://t.co/7XlMOLQgWP #cybersecurity #privacy pic.twitter.com/TH7vTzFrqQ
— Wickr (@myWickr) July 9, 2019
If you're a Zoom user and have a Mac, be careful! ⚠️ https://t.co/nVymLhAfCg pic.twitter.com/cDJ0gI3FLC
— Afrihost (@Afrihost) July 9, 2019
Serious Zoom security flaw could let websites hijack Mac cameras - The Verge https://t.co/z4okmtKn48
— RR Apple (@RRalstonAgile) July 9, 2019
You still think it's silly to put tape on top of a webcam?
— F-Secure FREEDOME VPN (@FreedomeVPN) July 9, 2019
"Serious Zoom security flaw could let websites hijack Mac cameras"https://t.co/EaHUz5JVoh #privacy #zoom pic.twitter.com/ajNFaC4hHw
To all my friends and colleagues using @zoom_us on a Mac (I know that’s a lot of you), be sure to read this security notice and update your settings. https://t.co/z5KDaYji6b H/T @rabble
— Eugene Eric Kim (@eekim) July 9, 2019
Don’t think of this as a vulnerability in Zoom. Think of it as a commercial implementation of chat roulette : Serious Zoom security flaw could let websites hijack Mac cameras https://t.co/tgiSccnoGE
— Rich Mogull (@rmogull) July 9, 2019
Serious Zoom security flaw could let websites hijack Mac cameras cc @Mr_ALNCo #TMSouthWales #edtech #elearning https://t.co/K1pArvTXBY
— ✨ Mark Anderson ✨ (@ICTEvangelist) July 9, 2019
What the fuck https://t.co/Cz6RI5gpQl
— Erin Gallagher (@3r1nG) July 9, 2019
If you have a Mac and have *ever* installed @zoom_us videoconferenci g apps on it, make sure you read through and remove it. They allow anyone to just connect to your webcam. And are calling it a feature. Holy fuck. https://t.co/smLsBzgKJr
— Anže Vodovnik (@Avodovnik) July 9, 2019
Overnight (for me, anyway), Zoom published a blog post response. Notable that Zoom says "We are not alone among video conferencing providers in implementing this solution." WRT the web server on your Mac thing.https://t.co/m53OVTXw1l
— Dieter Bohn (@backlon) July 9, 2019
You really need to stop using Zoom (and uninstall it) right now. They literally don’t know what they’re doing. Completely PR-talk response without any real solution to severe security vulnerability (including taking video and audio of you and crashing your computer). https://t.co/2Riy3pmSOq
— Thomas Fuchs ? (@thomasfuchs) July 9, 2019
This week, a researcher published an article raising a number of concerns about our video experience. We've published our response on our blog here: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
Wait, so @zoom_us created a local web server with a new attack surface on Macs to get around a security feature introduced in Safari that prevented apps with custom URL schemes from being auto-launched behind the user’s back?! https://t.co/4WJdr8CzGW
— Rosyna Keller (@rosyna) July 9, 2019
If you have ever installed Zoom on your Mac (even if you later uninstalled it) there is a localhost web server running on your machine to make reinstallation easier. But there are some problems with how it is done.
— Ray[REDACTED] (@RayRedacted) July 8, 2019
You might want to read this.
https://t.co/Z4FSB5zWI1
Seriously if you have ever used Zoom on your Mac, even _if you uninstalled_ it, anyone can connect to your camera without you being prompted.
— Thomas Fuchs ? (@thomasfuchs) July 9, 2019
Zoom didn't patch this even with 90-day heads-up time given by the security researcher.
See the article for mitigation. https://t.co/6enThMYqVM
Surprised Apple hasn’t flipped an XProtect kill-switch to disable Zoom’s daemons remotely. I don’t think that would be an overreach, faced with a story like this? ?
— Steve Troughton-Smith (@stroughtonsmith) July 9, 2019
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. (Why is it that all the video conferencing software is so creepy? Skype started the tradition.) https://t.co/4oJ3CF4tTt
— Frank Rieger (@frank_rieger) July 9, 2019
This is a tone deaf response to a security concern. Never, ever, say you expanded attack surface to "fix" a UI issue.https://t.co/HXYJMHyTha pic.twitter.com/gBJhNFBF0Q
— Jake Williams (@MalwareJake) July 9, 2019
In the meantime, $ZM stock is currently down <1% and still trading 5% higher than its July 3rd close. https://t.co/DyZpmHgRPV
— J-Strizzle (@jstrauss) July 9, 2019
Disasters like Zoom are why the Mac gets progressively more locked-down, and why commandline tools and daemons can’t be exempt from signing & security. By default, we should trust no software, and neither should the hardware it runs on https://t.co/OmYhPvFanR
— Steve Troughton-Smith (@stroughtonsmith) July 9, 2019
Allowing users to set their video to on by default by joining is product choice I don't agree with, but understand. Allowing administrators to make that choice for users is a product choice is wrong IMO.https://t.co/m53OVTXw1l pic.twitter.com/2R9vTVnJFw
— Dieter Bohn (@backlon) July 9, 2019
This is my #ZeroDay #PublicDisclosure of a security vulnerability impacting 4+ Million of @zoom_us's users who have the Zoom Client installed on Mac.
— Jonathan Leitschuh (@JLLeitschuh) July 8, 2019
Zoom had 90-days + two weeks to resolve this #vulnerability and failed to do so.https://t.co/hvsoS79bos
Bold prediction: so far, we have uncovered roughly 40% of the mess video conferencing is security-wise https://t.co/8zRrZ6AjVL
— Natalie Silvanovich (@natashenka) July 9, 2019
Don’t *ever* let your marketing department publish a technical response. https://t.co/Ruo8a3e7OX
— Joe Ferguson (@JoePFerguson) July 9, 2019
wrt the "simple Zoom feature where you can just send anyone a meeting link...I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely. Come to find out, it really hadn’t been implemented securely."https://t.co/TO3MkygJXJ
— adriennefriend (@adriennefriend) July 9, 2019
The flipside to responsible disclosure: failure to patch a critical vulnerability in 90 days makes a software vendor irresponsible and it's a good thing for their irresponsibility to become public knowledge sooner than later https://t.co/9i2ZU5XZp1
— Tony "ABOLISH ICE" Arcieri (@bascule) July 8, 2019
Here is Zoom's official response. It's yet another case of "User's want the convenience so it's not a problem". This is a poor response. This kind of stuff is enabled because user's aren't informed about they're being opted into. https://t.co/FZ2F6A0yv0
— Marco Rogers (@polotek) July 9, 2019
I don’t see how this is relevant and I don’t understand why Zoom mentions this in their statement. https://t.co/Svf1d9YSNh pic.twitter.com/H8XiAruwwO
— @mikko (@mikko) July 9, 2019
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
Flaw in Zoom's Mac client allows websites to turn on user cameras without permission https://t.co/SPm1TYJail pic.twitter.com/MNj3X2lDvZ
— Dave Michels (@DaveMichels) July 9, 2019
We have updated our security related blog post to include details on a scheduled software patch which will be made available tonight (July 9) at or before 12:00 AM PT. For more information on the upcoming changes, pls read: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
Zoom just updated their blog post again to say they're removing their local web server entirely.https://t.co/3ApfAmA1Gs https://t.co/liNhpgqjiX
— Jason Snell (@jsnell) July 9, 2019
Zoom had a cascading failure of product decisions, security bypasses, and then a terrible hand-waving blog post—which has been updated several times, and they’re finally doing the right thing. https://t.co/PROJzhOYux
— Glenn Fleishman (@GlennF) July 9, 2019
Zoom has reversed course. It will update its Mac app to remove the local webserver.
— Dieter Bohn (@backlon) July 9, 2019
It's the right move -- and I will be very curious to see what other companies running webservers on Macs to support their apps will do.https://t.co/m53OVUf6ST
We wanted to share a couple updates from team Zoom - an upcoming update this week to our local web server and clarifying user controls over video. Please stay tuned at our blog here: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
The @zoom_us videoconferencing team has pulled an about-face. It'll now remove the web server it installed on Macs to bypass browser security. Zoom's uninstall process also will now remove the web server, not leave it behind. https://t.co/QxGJfXkD2j
— Stephen Shankland (@stshank) July 9, 2019
https://t.co/WDhviA9Ys6
— ClearIce (@ClearIceSec) July 9, 2019
>We are not alone among video conferencing providers in implementing this solution.
Time to check the other video conferencing apps
security researcher: your app has a serious flaw that makes >4 million users vulnerable to malicious scripts accessing their camera
— big wife energy ? (@AlisonBuki) July 9, 2019
zoom: it be like that sometimes
https://t.co/N6a5LzE9YE
What an amazingly misleading response from @zoom_us to the situation. https://t.co/cZsXloT5lr
— Perry E. Metzger (@perrymetzger) July 9, 2019
I'm not touching their software again. Their initial architectural decisions were terrible, their response to the report was terrible, their response after the fact is terrible.
The Zoom stuff feels a bit overblown. Here's the vendor response. https://t.co/JJCoUHxhOC
— Kevin Beaumont ? (@GossiTheDog) July 9, 2019
Hello Matt, it looks like the researcher created a meeting without any access controls. We published our official response to this on our blog here: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
By far the most ~disastrous response I've seen to a security issue
— Abhishek Das (@abhshkdz) July 9, 2019
"We are not alone ... in implementing this"
"Zoom decided not to change the application ..."
Also an unusual NDA that doesn't allow disclosure even after it's patched (if ever)https://t.co/1OEi7QlzoZ
Serious Zoom security flaw could let websites hijack Mac cameras https://t.co/EOboiatG3W via @Verge
— Rey Bango (@reybango) July 9, 2019
A Zoom Flaw Gives Hackers Easy Access to Your Webcam https://t.co/BDW1z6Nw71
— Christine Pompa (@christine_pompa) July 9, 2019
So not good.
— ((( ted_dunning ))) (@ted_dunning) July 9, 2019
If you have used the zoom app on a mac, it installed a persistent web server on your machine. Even if you delete their application, this web server persists and stays running. Not a normal app, it's in a hidden directory (.zoomus). 1/2https://t.co/vZcf0Z6gup
A Zoom Flaw Gives Hackers Easy Access to Your Webcam https://t.co/psIsW4Iv9q #Security #SecurityCyberattacksandHacks pic.twitter.com/49ykV6MP7B
— Igor Os (@igor_os777) July 9, 2019
This saga shows a tech company that doesn't care one bit about security https://t.co/Pc7VVxH2Xp
— Stephen Judkins (@stephenjudkins) July 9, 2019
Oh lordy, this is a bad one.
— The Nash is coming from inside the house (@Nash076) July 10, 2019
How many Mac users do you know even realize MacOS *has* a command line, much less how to access it?
I'd generously put it at one in four. https://t.co/MY0iQRU96M
Remove Zoom From Your Mac Right Now @MLE_Online @glowascii https://t.co/JHwvQFdsS3 via @lifehacker
— Dean Segovis (@HackAWeek) July 9, 2019
? Vulnerability in the Mac Zoom client allows malicious websites to turn your camera on without your permission, uninstalling Zoom doesn't help with the problem either, but you can take the appropriate security steps necessary outlined here ?: https://t.co/DSq9CVGbk3 #ZeroDay
— DEBORAH ZHANG ????? she/her (@itsdeborahzhang) July 9, 2019
Remove Zoom From Your Mac Right Now #digcit https://t.co/qZ0ZXpbaEs
— Kyle Calderwood (@kcalderw) July 9, 2019
Serious Zoom security flaw could let websites hijack Mac cameras#CyberSecurity #hacking #Pentesting #vulnerability #cyberattacks #IoTSecurity #hackers #malware #ransomware #Apple #Mac https://t.co/su5a0YdWkR via @Verge
— Reinard Mortlock (@MortlockReinard) July 9, 2019
For #Mac users there is serious security issue if you have ever installed #Zoom conferencing software. Even if you have uninstalled it later or try to uninstall it now. Zoom installs a web server which stays there. Insanely stupid and dangerous design.https://t.co/5CSP3SQBHC
— Harri Hursti (@HarriHursti) July 9, 2019
Serious Zoom security flaw could let websites hijack Mac cameras#CyberSecurity #hacking #Pentesting #vulnerability #cyberattacks #IoTSecurity #hackers #malware #ransomware #Apple #Mac https://t.co/su5a0YdWkR via @Verge
— Reinard Mortlock (@MortlockReinard) July 10, 2019
Scary Zoom camera vulnerability reported on Macs @TheVerge! At least one Zoom-based summer class (mine) begins 7/15/19, others possibly ongoing: https://t.co/dnf6ICwtnt @katiekraemer512 @Yaasmeenaaa @ESUniversity @StroudCourier @EastStroudsburg @drdwells @PoconoCameron @zoom_us
— Bill Broun (@Broun) July 9, 2019
A Zero Day vulnerability allows any website to open up a video-enabled call on a Mac with the Zoom app installed. Here's how to patch it. https://t.co/CcyRPEYjGq via @InfoSecHotSpot pic.twitter.com/NXVwdlKHYq
— Sean Harris (@InfoSecHotSpot) July 10, 2019
[Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
Vulnerability in the Mac Zoom client allows malicious websites to enable camera https://t.co/7oxZklI008 Zoom’s response to this is really bad https://t.co/9NbVD9mjFV
— The Best Linux Blog In the Unixverse (@nixcraft) July 10, 2019
Kudos to Zoom for listening to the feedback on the ill-advised nature of running an incognito web server just to ease launch links. It took a bit, but better late than never ? https://t.co/zqz5jJMsgH
— DHH (@dhh) July 10, 2019
Sorry @zoom_us, this announcement is a day late and a dollar short. https://t.co/kiUQEB2uwL I deleted everything yesterday, will not be returning. Take security seriously or lose your customers and your company. ht @andy_sellars
— Carl Malamud (@carlmalamud) July 10, 2019
From Zoom: "But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service."https://t.co/Z4lNK1eiAe
— Brian Lesser (@bdlesser) July 10, 2019
This is amongst the worst non-apology apologies I've ever seen, @zoom_us.
— Rob Griffiths (@rgriff) July 9, 2019
You installed a web server to get around a feature that Apple added to prevent the very thing that a researcher has determined your web server allows.
That's insanely stupid.https://t.co/Ck0CGvcpz8 pic.twitter.com/AqYexcymf8
Now why would Safari add that useless extra click? ?https://t.co/LuwCY2ybfk pic.twitter.com/YqfwrNJM5F
— Johann Hofmann (@johannh) July 9, 2019
Update! Zoom have released a patch that disables the auto-join feature and removes the secret web server. Great going for only 24 hours of internet-wide roasting: https://t.co/FpswrRFgMJ
— Laurie Voss (@seldo) July 10, 2019
Zoom's response(s), in which it seems to take them till the third update to realise that their hair is on fire: https://t.co/QnvtrK0YiH Read, if you've ever installed Zoom on your Mac, even if you later uninstalled it. #zoomageddon https://t.co/Alob9348pq
— Samuel Wade (@samuel_wade) July 10, 2019
the zoom bug is just a really classic example of a company choosing convenience over security/privacy https://t.co/u9kcdAEu82
— Lily Hay Newman (@lilyhnewman) July 9, 2019
More than that #BadHairDay to worry about, whoops... ? https://t.co/mpm2WMBkHk #zoom #privacy
— Dorian Johannink (@dorianjohannink) July 10, 2019
Oops... Time to bring back the #webcam sticker!? Our mates at @centralityai might be able to hook you up #Zoom users ? > https://t.co/oegW8yCAzB #Hacked #tech @aaronmcdnz pic.twitter.com/YRsey1hKVi
— Sylo (@sylo) July 10, 2019
If you EVER installed Zoom, even if you removed the app, ANYBODY could forcibly start a call, enabling your webcam and listening in.
— Nextcloud ?☁️? (@Nextclouders) July 10, 2019
Another case for #selfhosting - yes, if you remove #nextcloud Talk from your server, it won't zombie back. Stay in control!https://t.co/8fMPLbYGOk
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission : https://t.co/C5RJYKENJt (fixed*)
— Binni Shah (@binitamshah) July 10, 2019
Zoom fixes major Mac webcam security flaw with emergency patch : https://t.co/TOVWEtbYl1
#Zoom Zero Day: 4+ Million #Webcams & maybe an RCE? Just get them to visit your website!.#Birmingham #SmallBusiness #BrumHour #Malware #RansomWare #Phishing #CryptoMining #Virus #Trojan #Security #IdentityTheft #Privacy #smallbizbritain2019https://t.co/jEyPtJtILp
— John Quinlan (@speeednet) July 10, 2019
But it's not a hard one to figure out, and with all the attention this latest thing has received, others WILL find the RCE. Only way to protect yourself is to MANUALLY remove the localhost listener as per the auto-join bug post. https://t.co/tl5RIAB3KM
— Patrick Gray (@riskybusiness) July 10, 2019
Twitter: why did @JLLeitschuh's public disclosure of the Zoom vulnerability have nearly zero impact on its stock price?
— Andy Coravos (@AndreaCoravos) July 9, 2019
Are shareholders completely out the loop -- how did this not impact its valuation? (wtf capitalism) https://t.co/mcOa2WoN0z pic.twitter.com/XaCfqjTX7G