← Back to context

Comment by cobbzilla

6 years ago

I'm trying to think of the real-world implications and how this would play out.

Normally this would be pretty obvious, wouldn't it? Users would see Zoom open into some weird meeting, and close it.

Presuming the exploit cannot avoid bringing the Zoom app to the foreground when it joins the meeting and activates the camera/mic. If it can do that and stay in the background, all bets are off.

In spite of its obviousness, it's still pretty darn scary --

Scenario 1: malicious website/app opens link while you're sitting there.

You're sitting in front of your computer, you see Zoom open, you're like "WTF?!", close that shit, uninstall Zoom; hopefully discover how to permanently remove it (it otherwise leaves a localhost http server running that can reinstall itself).

But crap the hijackers have, even with a few seconds of video: your face, your surroundings, the audio of your surroundings, all of which can increasingly be fingerprinted. That alone is very scary. Just to be in an unintentional meeting for a moment is very disturbing. A violation of sorts.

Scenario 2: malicious website/app delays opening the link until some threshold of mouse/KB inactivity is reached.

Activate the Zoom link and hope the person is AFK. Spy on their home/office/whatever. Also a violation.

Are there other scenarios I am missing?

Personal note 1: I'm happy I switched to a Linux laptop after finding last year's MBPs disappointing (and the TB revolting; I have a physical escape key!).

Personal note 2: I do actually like Zoom a lot, it's an awesome video conferencing app. But this should be fixed for Mac users.

6 comments

cobbzilla

Reply
bigiain  6 years ago

I wonder if this works in an electron app (like Slack maybe) displaying it?

Maybe you could intentionally send this link to someone shown as inactive on Slack, and have the WSlack webpage preview thing run enough javascript to pop open Zoom with the camera and mic running...

I'd test it myself, but I deleted Zoom and the sneaky localhost web server while I read the article...

  • ljm  6 years ago

    It says that the server sends an image with certain dimensions back as an error code, so I wonder what you could do if you served some simple HTML that uses the local server as a meta tag that renders in the preview?

    I imagine slack would do that on the client since it’s built on electron.

    Unless it requires more than loading a URL.

anaphor  6 years ago

> Activate the Zoom link and hope the person is AFK. Spy on their home/office/whatever. Also a violation.

I think this is the most likely scenario. There are ways you could potentially delay it (e.g. they leave a tab open and you don't open the link until a certain time)

ljm  6 years ago

Scenario 1 extended: Add this into an ad or a popover for a porn site and potentially capture some very compromising footage.

Scenario 3: Add it as a tracking pixel in an email.

I guess there are all kinds of scenarios since it's an unsecured API that responds with an image. You can trivially embed it in anything that renders HTML.