YouTube announces support for 360-degree live streaming video and 3D 'spatial audio'
YouTube announces support for 360-degree live streaming video and 3D 'spatial audio'
Software Bug Gives Spyware Free Rein With a Single WhatsApp Call
Software Bug Gives Spyware Free Rein With a Single WhatsApp Call
How to Record Beat Saber in 360 Degrees
How to Record Beat Saber in 360 Degrees
Apple Squashes FaceTime Eavesdropping Bug
Apple Squashes FaceTime Eavesdropping Bug
Kodachi Builds Privacy Tunnel for Linux
Kodachi Builds Privacy Tunnel for Linux

Zoom Flaw Turns Mac Cam into Spy Cam

a flaw in video conferencing app zoom could enable invasions of users' privacyAre Facebook and Google Ads Draining Your Budget? If you sell merchandise online, join ALL EC today to promote your ecommerce business. Free membership available for companies of all sizes. Get started » A security researcher has found a flaw in the popular video conferencing app Zoom that could be used to turn on the camera on a Macintosh computer without a user's permission. The vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without a user's permission, explained Jonathan Leitschuh in a post published Monday on Medium. Leitschuh is a senior software engineer at Gradle, an open source software project based in San Francisco. His article demonstrates how to embed code into a website so that any Zoom users who land there will be connected instantly to a Zoom meeting with their video cameras running.

The code could be used in a malicious ad or in a phishing campaign, he wrote.

User in Complete Control

Zoom contradicted some of Leitschuh's conclusions in a Monday post by Chief Information Officer Richard Farley, including the contention that a meeting host could turn on a participant's video by default. Hosts or participants cannot override a user's audio and video settings, Farley wrote. That includes turning a camera on or off.

It would be difficult for rogue users to hide their participation in a meeting, Farley maintained.

"Because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately," he wrote.

Sensorama was the first attempt at VR experience, this unique concept was developed by a cinematographer named by Morton Heilig. This VR device was aimed at stimulating a person’s senses.

Zoom had not seen a single instance of the Leitschuh vulnerability being exploited in the wild, wrote Farley.

Nevertheless, in the next Zoom upgrade, users will be able to apply settings they used for their first Zoom session to all future sessions automatically, he noted.

Target on Zoom's Back

Leitschuh also found that the vulnerability he discovered could be used to launch a denial-of-service attack on an individual machine. It would enable the sending of repeated meeting requests to a Mac, which eventually would lock it up.

"We have no indication that this ever happened," Farley wrote.

However, he acknowledged that the company released a fix for the problem in May, though Zoom did not force its users to update because it was empirically a low-risk vulnerability.

Leitschuh was critical of Zoom's installation of Web server code to enable its client to update and install new versions of itself. That code remains on a machine even if Zoom is uninstalled from a computer.

"Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom," he wrote.

Virtual Reality Has ROI. While it might feel as if virtual reality has been around forever, it’s still a relatively new technology. This has caused some businesses to question whether virtual reality is actually beneficial. The truth: of course virtual reality has shown to have positive ROI. British travel group Thomas Cook reported a 190 percent increase in tours booked to New York City after offering a virtual reality experience of the city in their stores. Amnesty International reported a 16 percent increase in direct-debit donations brought on by its VR campaign.

Leitschuh isn't alone in his criticism of Zoom.

"Leaving a server running even after uninstallation is unacceptable," said Martin Hron, a security researcher at Avast, headquartered in Prague, the Czech Republic. Avast makes security software, including antivirus programs for the Mac.

Working Around Poor UX

The Web server with limited functionality was a workaround to accommodate changes made in Safari 12, Farley explained. Those changes required users to confirm they wanted to launch the Zoom client every time they joined a meeting. The local Web server allows users to join meetings directly without going through that step.

"We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings," Farley wrote.

"We are not alone among video-conferencing providers in implementing this solution," he added.

There is no easy way to remove both the Zoom client and Web server app on a Mac once the Zoom client is launched, Farley acknowledged, but he added that a new app to uninstall both files is expected by this weekend.

Until that time, users should deactivate the setting that turns on the camera upon joining a meeting, as well as disallow a browser from automatically opening the Zoom app for Zoom links, Avast's Hron told TechNewsWorld.

"Virtual Reality" Was Coined in 1987. While immersive experiences (depending on the definition) have been around for decades, the actual term most people use to describe them is relatively new. The term “virtual reality” was conceived by Jaron Lanier in 1987, during an intense period of research around this form of technology.

Privacy Nightmare

The vulnerability could be bad news for Mac users of Zoom, who number more than 4 million, according to Leitschuh.

"Even though most Zoom users are in the enterprise, they are still consumers, and this vulnerability could result in a privacy nightmare if their work computers are used at home or for personal reasons," Hron said.

"Any website can turn on the Zoom client with the video feed enabled, which essentially could turn a casual browsing session into a serious invasion of privacy in the home," he explained.

Having your camera and audio enabled on your Mac without your knowledge can create a number of scenarios with bad outcomes, suggested Greg Young, vice president for Cybersecurity at Trend Micro, a cybersecurity solutions provider headquartered in Tokyo.

"One of those outcomes could be the use of the captured video or screenshots for blackmail," he told TechNewsWorld.

"Another is when entering credit card information online, we all hold the card up in front of us in view of the camera, and usually flip it over at least once," Young said. Businesses should be worried too, noted Adam Kujawa, lab director at Malwarebytes, a Santa Clara, California-based maker of an antimalware software for Microsoft Windows, macOS, Android and iOS.

Sensorama was the first attempt at VR experience, this unique concept was developed by a cinematographer named by Morton Heilig. This VR device was aimed at stimulating a person’s senses.

"If anything said and shown on the camera can be spied on, that can be mighty dangerous for a company with a lot of IP to hide," he told TechNewsWorld.

Hard to Weaponize, Easy to Exploit

The flaw would be difficult for cybercriminals to weaponize in any effective form, Kujawa said, but the ease of exploitation would invite mischief.

"Just send out a convincing email with a link that points to a localhost server and wait for users to click," he observed, "or share it on social media."

It's the practice in the industry to give a software maker 90 days to fix flaws found by bug hunters.

"Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard," Leitschuh wrote. "The four-plus million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service."
AI Can Now Manipulate People’s Movements In Fake Videos
AI Can Now Manipulate People’s Movements In Fake Videos
Spring Cleaning Your Network Security
Spring Cleaning Your Network Security
E-Ticketing Flaw Exposes Airline Passenger Data to Hackers
E-Ticketing Flaw Exposes Airline Passenger Data to Hackers
How to watch 360 and 3D VR videos and images in the Oculus Go
How to watch 360 and 3D VR videos and images in the Oculus Go