The code could be used in a malicious ad or in a phishing campaign, he wrote.
User in Complete ControlZoom contradicted some of Leitschuh's conclusions in a Monday post by Chief Information Officer Richard Farley, including the contention that a meeting host could turn on a participant's video by default. Hosts or participants cannot override a user's audio and video settings, Farley wrote. That includes turning a camera on or off.
It would be difficult for rogue users to hide their participation in a meeting, Farley maintained."Because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately," he wrote.
Zoom had not seen a single instance of the Leitschuh vulnerability being exploited in the wild, wrote Farley.
The First Time Is Not Easy. Most people who have tried virtual reality once would like to experience it again. However, for most people, the first time is not an easy process as it usually requires some sort of adjustment. Some people say that after their first virtual reality experience, they felt very disjointed. Others complained about motion sickness. However, once they have tried virtual reality for a second time, they adjust well to the experience until they get so used to it.
Nevertheless, in the next Zoom upgrade, users will be able to apply settings they used for their first Zoom session to all future sessions automatically, he noted.
Target on Zoom's Back
Leitschuh also found that the vulnerability he discovered could be used to launch a denial-of-service attack on an individual machine. It would enable the sending of repeated meeting requests to a Mac, which eventually would lock it up.
"We have no indication that this ever happened," Farley wrote.
However, he acknowledged that the company released a fix for the problem in May, though Zoom did not force its users to update because it was empirically a low-risk vulnerability.
Leitschuh was critical of Zoom's installation of Web server code to enable its client to update and install new versions of itself. That code remains on a machine even if Zoom is uninstalled from a computer."Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom," he wrote.
The start-up company Oculus Rift kickstarted the industry of virtual reality again with the release of a Kickstarter project for their Oculus Rift virtual reality goggles, in the year 2010.
Leitschuh isn't alone in his criticism of Zoom."Leaving a server running even after uninstallation is unacceptable," said Martin Hron, a security researcher at Avast, headquartered in Prague, the Czech Republic. Avast makes security software, including antivirus programs for the Mac.
Working Around Poor UX
The Web server with limited functionality was a workaround to accommodate changes made in Safari 12, Farley explained. Those changes required users to confirm they wanted to launch the Zoom client every time they joined a meeting. The local Web server allows users to join meetings directly without going through that step.
"We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings," Farley wrote.
"We are not alone among video-conferencing providers in implementing this solution," he added.
There is no easy way to remove both the Zoom client and Web server app on a Mac once the Zoom client is launched, Farley acknowledged, but he added that a new app to uninstall both files is expected by this weekend.Until that time, users should deactivate the setting that turns on the camera upon joining a meeting, as well as disallow a browser from automatically opening the Zoom app for Zoom links, Avast's Hron told TechNewsWorld.
Virtual Reality Conventions Are A Hit. Among the biggest reasons behind the rising popularity of virtual reality are the tech conventions. These are the venues where people might first learn about virtual reality and where the first time users experience it as well. The others go to not miss out on the latest. Some of the conventions are becoming really popular and ticket prices are skyrocketing. Companies that produce virtual reality headsets are using the conventions to build some hype for their upcoming products for users.
The vulnerability could be bad news for Mac users of Zoom, who number more than 4 million, according to Leitschuh."Even though most Zoom users are in the enterprise, they are still consumers, and this vulnerability could result in a privacy nightmare if their work computers are used at home or for personal reasons," Hron said.
"Any website can turn on the Zoom client with the video feed enabled, which essentially could turn a casual browsing session into a serious invasion of privacy in the home," he explained.
Having your camera and audio enabled on your Mac without your knowledge can create a number of scenarios with bad outcomes, suggested Greg Young, vice president for Cybersecurity at Trend Micro, a cybersecurity solutions provider headquartered in Tokyo.
"One of those outcomes could be the use of the captured video or screenshots for blackmail," he told TechNewsWorld."Another is when entering credit card information online, we all hold the card up in front of us in view of the camera, and usually flip it over at least once," Young said. Businesses should be worried too, noted Adam Kujawa, lab director at Malwarebytes, a Santa Clara, California-based maker of an antimalware software for Microsoft Windows, macOS, Android and iOS.
Movies and sports and other events will be viewable in VR as technology continues to advance.
"If anything said and shown on the camera can be spied on, that can be mighty dangerous for a company with a lot of IP to hide," he told TechNewsWorld.
Hard to Weaponize, Easy to ExploitThe flaw would be difficult for cybercriminals to weaponize in any effective form, Kujawa said, but the ease of exploitation would invite mischief.
"Just send out a convincing email with a link that points to a localhost server and wait for users to click," he observed, "or share it on social media."
It's the practice in the industry to give a software maker 90 days to fix flaws found by bug hunters.
"Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard," Leitschuh wrote. "The four-plus million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service."