As someone who used @zoom_us on a Mac, I'm troubled by this. It seems that:
1. There's no SDLC in place to stop code like this from getting into prod
2. They don't take vulnerability reporting seriously
Looking forward to Zoom's account of what happened.https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 …
-
Show this thread
-
Replying to @MalwareJake @zoom_us
Although now that I look at this, I cannot reproduce the described on Safari, Chrome, or Firefox on macOS. All three prompt the user before launching the Zoom application when viewing https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html …pic.twitter.com/yFhudlbaYy
1 reply 0 retweets 6 likes -
You're probably running a very old version of Zoom then. As far as I'm aware, zoom's auto update functionality is non existent.
2 replies 0 retweets 0 likes -
OK, there must have been something wrong with the first time I attempted to reproduce this last night. At that time there was no listener on 19421 either, so perhaps it fell back to protocol URI? However, this time worked as described. I don't see why the listener is necessary.pic.twitter.com/vCZ1c7KMFy
1 reply 0 retweets 1 like
And to be clear, the only reason it's prompting me is because I've never before successfully run Zoom to join a meeting in this VM. Otherwise, the prompts for user name, microphone permission, and camera would not be displayed, and http://zoom.us (obviously) joins a mtgpic.twitter.com/3TMiB5V2aX
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.