Comment by TACIXAT

6 years ago

The Zoom client on Linux used to (?) have a nasty command injection. The URL for joining a meeting got passed to some bash reinvocation (so they could set the library path if my memory serves me). A specially crafted URL could execute commands on the system. I haven't been too interested in using Zoom since seeing that.

2 comments

TACIXAT

Reply
palebluedot  6 years ago

I hadn't heard of this, so I looked it up, and you are right: https://www.exploit-db.com/exploits/43354

At least that was patched. These sorts of issues are frustrating, because as a Linux user I really want to like Zoom -- I appreciate that the treat all platforms pretty equal (Mac, Windows, Linux, Android, iOS) with native apps. That is a rarity.

anaphor  6 years ago

For the longest time the Linux client would just crash randomly. It also tends to heat up your laptop and use all of your cores at 100% if you're looking at someone's screen.

Just run `strace -f zoom 2> wtf.zoom` to see all of the shit it does (looks like it is polling for events like crazy).