So in order to save users an extra click, Zoom installed the localhost web server as “a legitimate solution to a poor user experience problem.” While the company claims that it has no evidence of a Mac being subjected to a DOS attack, which it describes as a “empirically a low risk vulnerability,” it also announced it will be implementing a public vulnerability disclosure program within the next several weeks.īut even beyond the practice of surreptitiously running a localhost web server on hundreds of thousands of Macs around the world, Leitschuh unearthed a vulnerability that “allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission … and would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.” As Zoom explained, changes implemented by Apple in Safari 12 that “require a user to confirm that they want to start the Zoom client prior to joining every meeting” disrupted that functionality.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |