July 11, 2019
Doom, Gloom and Zoom: What Every Mac User Is Ought To Know About Seamless User Experience
Many of you have already read about Zoom’s Mac app zero-day, a CVE disclosed by Jonathan Leitschuh on July 8th, 2019.
I played a waiting game first, feeling that this saga won’t just hush down after the initial report. Now that the fog of war has settled, we can see how this all played out, and we can evaluate everything with clear minds.
In case the big news went over your head, Zoom’s security oversight allowed malicious actors to force users into unsolicited Zoom calls, which actually activate cameras by default when users join a new call.
Think about it - you just need to click on the link in the browser and the client would instantly open on your local machine.
That’s possible because aside from the app you have a web server with undocumented API on your local machine that runs in the background.
The company felt that it was a "legitimate solution to a poor user experience, enabling users to have seamless, one-click-to-join meetings.” Zoom prioritized user-centric experience over security and data protection, because essentially any website that you would visit could interact with that web server.
A glaring issue for any security-minded person.
In case you landed on a malicious website, clicked on a malicious ad, or found yourself on the receiving end of phishing campaign - your privacy could be in danger.
This exploit also opened up the possibility of a Denial of Service attack, by repeatedly joining a target to an invalid call.
To make things even worse, a local host web server stayed on your machine even if you uninstalled the app. Needless to say, this gave Zoom the opportunity to re-install the client for you, but without you.
But that was before...
Despite originally protecting this twisted server logic, Zoom representatives changed their course and killed off the server altogether.
From now on, Zoom will not use the local web server to join meetings automatically, as they have disabled it on their back end.
I consider it to be a victory for users and security researchers alike, who forced this change by expressing their opinions on social media.
There’s a moral to this story too.
The Internet is made up of segments, so communication channels provided by instant messengers and email are especially vulnerable.
Technology allows us to protect only a part of the connection, but doesn’t give us the power to control the entire channel. And that’s why StealthMail and StealthTalk were created, that’s what sets them apart from other solutions on the market right now.
Stay safe, guys!