RT @zackwhittaker: New: Just when you thought things couldn't get any worse for Zoom, an ex-NSA hacker just dropped two Zoom zero-days on his blog. One of the bugs can allow an attacker to tap into the webcam and microphone without permission.
Edit 2: Zoom recently put out a very good blog post addressing these concerns and more. They do a great job of explaining what they are doing to fix all of these problems and how they happened in the first place. This restores a lot of my faith in Zoom, but this still serves as a good example as to why auditable and reputable alternatives are better, and open-source applications are the best.
Spooky23, a former guest of a Holiday Inn also used by elite NSA Hackers, discovered that if you walk into a remote worker's home while they are engaged and distracted by a Zoom meeting, you can physically pick up the laptop and throw it out the window. In most cases, this will result in a denial of service.
Zoom has not made a fix available at this time. Users can work around this threat by securing any nearby windows.
These are valid attacks for bypassing Gatekeeper on macOS, but they're not root-level privilege escalations attacks (the user still needs to enter a password) and they don't provide remote code execution.
It does show that whoever manages security at Zoom should go back to school though. Operating system security features are not an obstacle but a tool. Trying to work around them reminds me of the age of IE6 toolbars and "system optimisers" who won't let you uninstall them.
> The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer.
TechCrunch got this wrong. "Local" means local privilege escalation, as opposed to "remote" code execution. They do not require physical access.
That being said, local privilege escalation on a single user computer where that user is an admin (most Macs), isn't a massive problem in my mind. It would allow malware, once run by the user, to bypass security prompts usually required to elevate access.
Something that wasn't clear ("non-privileged attacker") is whether or not running the Zoom installer as a non-admin user would be sufficient for it to use its elevation mischief somehow. From what I see, it can't, because AuthorizationExecuteWithPrivileges requires an admin's credentials to do anything. But if that were the case, can you use the mac Zoom client without an admin's permission, or not?
If you don't need to give it admin credentials (and can just give it anyone's non-special password instead) and it installs to /Applications without an admin's permission, then there's a huge problem. If you do need to give it admin credentials, this still needs to be fixed (urgently, as I'm sure there's tons of one-off developer/designer macs that aren't monitored by IT and have the Zoom client on them), but that would mean the security model on OS X wasn't entirely broken by a badly written video conferencing installer.
I think zero days are irresponsible in the best of times but releasing something like this when their devs are probably all busy just keeping their much-needed service running in times of a global crisis just seems insane.
Why are startups born this way? Why optimize for growth and CTR etc. Is there a world in which security and privacy focus (maybe sprinkle in, dare I say, social good) could be funded from the start?
These companies presumably all pivot on going public and making a crapton of money: couldn't they anticipate the need to respect the users longer term as opposed to selling them like commodity to investors and advertisers?
The worst types are the ones that advertise how good and amazing they are, and when the "tide goes out they are found swimming naked" as Buffett might say.
> Zoom uses a "shady" technique — one that’s also used by Mac malware — to install the Mac app without user interaction
It reminds me of the Dropbox trick they used to get past the accessibility restrictions. The implementation is different, but it's essentially to get around all the limitations that Apple has been building into macos.
I feel like developers shouldn't have to fight the operating system.
Can we stop using and finding bugs in the close-source Zoom and direct that effort to finding bugs in the open source Jitsi (or any other open source solution) instead?
Even though it's free and open source there will be bugs and usability issues that need to be solved. If we pool our effort right we can make open source solution into "just works" solutions, reducing the need for companies like Zoom.
We're in a pandemic. Telecommunications are of paramount importance to people working in emergency and others services throughout the world. So of course, security and privacy are more paramount than ever. But by releasing more and more "problems" with Zoom, it slowly forces organizations to abandon Zoom as a telecommunications option. Eventually people will not be allowed to use Zoom to do their jobs, which will make those jobs even more difficult than they already are. Social distancing by itself saves lives by keeping infection (and thus death) rates down, and this software is a critical part of making that work.
> Because Wardle dropped detail of the vulnerabilities on his blog, Zoom
> has not yet provided a fix. In the meanwhile, Wardle said,
> “if you care about your security and privacy, perhaps stop using Zoom.”
This is not the time to release 0-days in telecommunications software, people need this software to save lives.
If you work in InfoSec, or just idle in random hacker channels, please push back on this kind of behavior. It would be "irresponsible" at any other time, but in this era, it's literally life-threatening.