← Back to context

Comment by ct520

6 years ago

Sooo... this is still vulnerable?!

Yes. Try this link from the article to see it in action if you have (or had) Zoom installed: https://jlleitschuh.org/zoom_vulnerability_poc/

WARNING, this will open a video chat with random strangers, and will turn your webcam on. Consider yourself warned!

  • If you want to test it without using your real webcam, I recommend CamTwist [1]. The author is in the group video call now. I joined for a short minute, and was relieved to see that my real webcam wasn't being used.

    Normally I use CamTwist so I can write subtitles on top of my video feed when chatting with my gran. It seems it's also a good layer of extra security!

    [1] http://camtwiststudio.com/

  • WARNING, this will open a video chat with random strangers, and will turn your webcam on. Consider yourself warned!

    Amusingly enough, this actually exists as a product:

    https://en.wikipedia.org/wiki/Omegle

    (Edit: just noticed it's already been around for over 10 years. That's rather amazing.)

Personally, I do not think so.

I did a test with myself and a coworker. I’m using macOS 10.12; he’s using 10.14. We both have up-to-date Zoom clients.

In our Zoom clients, we both already had the “Turn off my video when joining a meeting” box checked.

I set up a meeting, with participant video set to On, as the article describes. I took the new Meeting ID, launched Zoom, and joined my new meeting. I then sent my coworker the join URL using Slack.

My coworker clicked on the link, which opened the URL in Safari. Safari asked my coworker if he wanted to launch Zoom. My coworker confirmed that yes, he wanted to launch Zoom.

My coworker’s Zoom client did _not_ automatically start video. I never saw video come in from him.

  • > In our Zoom clients, we both already had the “Turn off my video when joining a meeting” box checked.

    I believe this is one of the mitigations, which is why it didn’t work.