The Zoom video conferencing app for Mac has serious flaws left unaddressed despite disclosures. When visiting a malicious website, bad actors can activate your camera without permission. If you uninstalled Zoom, the malicious site can reinstall without your interaction.
Security researcher Jonathan Leitschuh noticed that Zoom has the capability to auto-join and start a video session just by visiting a link. He wondered how the company securely accomplished the feat and investigated. He quickly found out that that Zoom’s methods weren’t secure at all.
When you install Zoom on a Mac, it creates a web server on your machine. The web server is problematic on multiple levels. With just a few options, Leitschuh put together a proof of concept website. If you have Zoom installed and visit that website, you will be auto-joined to a call, and your webcam activated without any interaction on your part—even if you closed Zoom before clicking the link.
Worse yet, uninstalling Zoom doesn’t remove the web server. The web server can reinstall Zoom on its own as well. So if you visit a malicious link, it can reinstall Zoom, join you to a call, and start your webcam, all without any interaction from you.
You can test this at Leitschuh’s proof of concept, but be advised if you have Zoom installed your camera will start, and you’ll find yourself joined to a call with other people testing the site. Leitschuh notified Zoom of his findings along with a 90-day disclosure grace period. Unfortunately, the company didn’t do much to fix the problem.
Initially, the company brushed the whole thing off as part of the features it supports. Zoom eventually implemented a mild fix that prevents the camera from turning on, but malicious actors can still force users to join a call and reinstall Zoom. [Medium]
In Other News:
- Microsoft is sneaking ads into Android: If you have a Microsoft Android app installed, you might see ads for other Microsoft apps. But not inside the app itself. Microsoft is inserting suggestions in Android’s share and open menus. If you share a photo with a friend, you might see OneDrive listed, even if you didn’t install it. Tapping OneDrive takes you the Play Store. Subtle yet gross. [Android Police]
- Apple announced a new MacBook Lineup: Apple is shaking things up in the MacBook world: gone are the MacBook model and the non-Touchbar MacBook Pro models. But as they leave, a less expensive MacBook Air with an improved screen takes center stage. We think this is the most sensible lineup in years. We also believe you should wait on buying a MacBook anyway, because of the ongoing keyboard issues. [ReviewGeek]
- Microsoft issued a warning about hard-to-detect malware: Microsoft discovered a malware campaign, dubbed Astaroth, using incredibly advanced techniques to evade discovery. Astaroth relies on system tools, like the Windows Management Instrumentation Command-line (WMIC) tool, to do all its work to masquerade as system activity (a Living in the Land technique). And it never saves files, instead executing entirely in memory (a fileless method). Astaroth is delivered through spam email with malicious links so be careful what you click. [ZDNet]
- Over 1000 Android apps ignore your permissions choices, track you anyway: Security researchers discovered that many Android apps would track you even if you chose permissions options to prevent it. Most use alternative options; for instance, Shutterfly pulls GPS information from your photo metadata. Some even share data from one app to another. Android Q should solve the problem, but Android isn’t known for timely updates. [9to5Google]
- Instagram wants to stop bullying: Instagram is testing new features designed to curtail bullying on its platform. The first is an A.I. process that detects when you are writing something disparaging and questions if you truly want to post the comment. The second will let users shadow ban commenters. A shadowban hides comments from everyone except the poster without notifying them. [Instagram]
- Spotify Lite is smaller, with fewer features: Spotify’s new Lite app for Android is a svelte 10MB in size, which is great for devices with limited storage and countries with slower internet speeds. Of course, the smaller size means fewer features. But you still get the most important part, music, which is really all that matters. While it’s available now in 36 markets around the world, the US isn’t one of them. [Engadget]
- Google says you get to keep your Stadia Games: Google Stadia is incredibly intriguing. But one question (ok many questions) loomed heavily: what happens if a game publisher stops supporting Stadia? Do you lose the game despite the money you spent? Google updated its FAQ, and it promises you’ll keep your games in that event “barring unforeseen circumstances” (because every company wants wiggle room). [The Verge]
- Microsoft’s weird tweets were just a Stranger Things ad: Microsoft’s tweets have been “strange” lately, touting Windows 1.0 and other throwbacks. The references to 1985 made it a likely Stranger Things tie-in (a show set in 1985), and now that’s confirmed with a theme pack and Windows 1.11 app download. If you like things ugly, and really love Paint, download them now. [Ars Technica]
- YouTube returns to FireTV and Prime Video gets Chromecast support: Google removed YouTube from FireTV as the two companies fought about representation in each other’s stores. The companies promised peace, and it seems that’s finally coming to pass. You’ll now find YouTube on most FireTV devices (save for the Echo Show). Also starting today, Prime Video will get Chromecast support. What a time to be alive. [GeekWire]
Touchscreens, with their virtual buttons that reconfigure based on your needs, are a fantastic technology that transformed the way we live. That is unless you are blind. Touchscreens are an obtuse technology for anyone without sight to use—the buttons lack tactile sensation, which is necessary to find them and determine their use.
Researches want to solve that and other problems. They’re working on electronic skin which could interact with touchscreens to provide tactile sensations. Think of it like your cell phone vibrations, but on a smaller scale that gives you a sense of which direction to move your finger, or how hard to push.
The idea is to keep the tech thin enough you can feel through it with your finger, yet to still embed circuits that can interact with other technology and you. Scientists hope that one-day electronic skin could add the feeling of sensation and touch to a prosthetic hand as well. There’s still a long way to go before this happens, but now it truly seems possible and not just something in the realm of science fiction. That’s true progress. [Phys.org]