Comment by Jlleitschuh
6 years ago
Hi I'm the author, AMA
Or come hang out in the party chat!
Use the exploit to join: https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_ifram...
6 years ago
Hi I'm the author, AMA
Or come hang out in the party chat!
Use the exploit to join: https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_ifram...
Stayed on that call for over 3 hours and I just have to say that it was one of the best experiences I've had on the internet in years.
People behaved pretty good considering it was a random public Zoom call (except for a few trolls, but nothing really bad).
It just felt like the internet of yore where random people would meet and chat and just be nice to each other.
Lots of interesting topics, people from all over the world, lots of surprised faces, random camera sights out the window, someone with a unicorn mask...
It was a blast. Thank you Jonathan for a great time!
Thanks for being cool!
I listened for a long time, learned a lot as well.
This made me think - is there any website that facilitates you to do such public conferences on zoom like clients. Basically a bunch of people who are interested in a certain topic could join and chime in - go from topic to topic. It could be a very healthy discussion. People could post and schedule meetings and essentially anyone who wants to learn could join. I do listen to podcasts often, but such meetings would be pretty different than podcasts. Does this already exist?
I am not aware of anything like what you describe, but I did see some people in that Zoom call suggesting the creation of a Discord and/or Slack channels.
However what I fear is that they will become like any other modern forum in that you will need heavy moderation, people will try to troll, etc.
The beautiful thing about Jonathan's call was it's spontaneity I think, and that everyone was so excited to talk about the vulnerability that the group had a single focus.
I might be too cynical so maybe it's a good idea, and if someone suggest a place/site/forum to have these kind of discussions I would definitely try it out.
I didn't really participate, but yeah, it was a pretty entertaining happenstance gathering!
Interestingly, I implemented every mitigation listed in the article: kill the web server process, remove and add an empty directory at `~/.zoomus` to prevent it being re-added, remove Firefox's content type action for Zoom, and disable video turning on when Zoom launches. When I visit a Zoom join link or the POC link above, Firefox prompts me to open the Zoom client to join the meeting, and when I click "Open Link" the client opens just as it should and joins the meeting.
This seems to confirm that there is no functionality to create a seamless experience for the user that actually requires the presence of the web server. If you don't have the client installed the page can prompt you to download it the same as it would the very first time you download and install it. You can ask your browser to remember the link association and not be prompted for which app the link should open going forward. These are minor steps, even for a regular user, and ones with which most users are likely already familiar.
To me this further illustrates that the web server is truly just a ploy on Zoom's part to keep their hooks in users' systems, and have a way in that the user isn't privy to. Any other excuse they are giving about "enhanced experience" is dubious at best and deceitful at worst.
It seems the web server "is a workaround to a change introduced in Safari 12": https://news.ycombinator.com/item?id=20389668
> You can ask your browser to remember the link association
If that's true in Safari, then a web server is using dynamite to kill a fly.
If you want to see some part of this fixed, please UPVOTE this issue:
https://github.com/mozilla/standards-positions/issues/143
Have your checked for similar vulnerabilities in competing products such as GoToMeeting and WebEx? They have the same basic features.
RingCentral Meetings uses zoom.us engine but the local server runs on port 19424 instead. I'm able to replicate the issue on it.
PoC: http://localhost:19424/launch?action=join&confno=3535353535
I can confirm that this vulnerability exists in RingCentral for macOS, version 7.0.136380.0312.
I was taken into Miguel's meeting, but since the host wasn't presented, it simply let me know it was waiting for him (It also had a friendly notice "Your video will turn ON automatically when the meeting starts".
I've changed my settings in Video > Meetings, just like in Zoom, to turn off my vid when joining. Also confirmed that the server is running on port 19424 (via terminal command 'lsof -i :19424').
In my case it's 19421 as written in the article.
4 replies →
bluejeans video installs a nasty daemon that runs at boot too. I'll never attend a bluejeans meeting again
Not if you just use it through the browser, which is more stable than their app.
Anyone know what port the Bluejeans server is running on and/or how to kill it in a manner similar to the Zoom workaround?
2 replies →
Wow didn't know that. I rarely use bluejeans but I guess i will uninstall it anyway.
> You can confirm this server is present by running lsof -i :19421 in your terminal.
Might be good to specify what the output would be if the vulnerability is present or not, like this:
"If the server is running on your machine, you'll get a line specifying which process is listening to that port. If the command returns empty, your machine is not vulnerable."
Huh, I'm on Windows and it auto-joined the meeting too, with video enabled. I wonder if this is because at some point in the past I opened a Zoom meeting and allowed Chrome to open the Zoom URI in the Zoom app?
We need "allow only for this session" (or tab) in the permissions popup bar.
Great chat, I think you were right when you said all vulnerabilities should have a video conference for Q&A after release. It was really helpful to get a better understanding of the platform and the threats facing it.