The Zoom video conferencing app for Mac has serious flaws that were not resolved despite the announcement. When visiting a malicious website, bad performers can activate your camera without permission. If you uninstalled Zoom, the malicious site can be reinstalled without your interaction.
Security researcher Jonathan Leitschuh noted that Zoom has the ability to automatically join a video session and start it by only visiting one link. He wondered how the company did the trick and investigated it. He quickly realized that Zoom's methods are not at all secure.
When you install Zoom on a Mac, a Web server is created on your computer. The web server is problematic on several levels. Leitschuh has put together a proof-of-concept website with just a few options. If you have installed Zoom and visit this website, you will automatically be involved in a call and your webcam will be activated without your intervention, even if you closed Zoom before clicking on the link.
Worse, uninstalling Zoom does not work can not remove the web server. The web server can also reinstall Zoom itself. So, if you visit a malicious link, you can reinstall Zoom, merge it into a phone call, and start your webcam without you having to do anything about it.
You can test this at Leitschuh's Proof of Concept If you have installed Zoom, your camera will start up and you will find that you are taking a call with other people testing the site. Leitschuh told Zoom about his findings along with a 90-day grace period. Unfortunately, the company has not done much to solve the problem.
First, the company has painted the whole thing in the context of its supported functions. Finally, Zoom implemented a light fix that prevents the camera from turning on, but malicious actors can still force users to join a call and reinstall Zoom. [Medium]
In other news:
- Microsoft sneaks ads in Android: If you have a Microsoft Android app installed, you may see ads for other Microsoft apps. But not in the app itself. Microsoft inserts suggestions in the release and opening menus of Android. If you share a photo with a friend, OneDrive may be listed, even if you have not installed it. Tapping on OneDrive takes you to the Play Store. Subtle and yet coarse. [Android Police]
- Apple Announces New MacBook Series: Apple Causing Excitement in the MacBook World: The MacBook and MacBook Pro models without touchbars have disappeared. On leaving the company, however, the focus is on a more affordable MacBook Air with an improved screen. We think that these are the most meaningful line-up and the most meaningful years. We also think that you should wait anyway because of the persistent keyboard problems with buying a MacBook. [ReviewGeek]
- Microsoft issued a warning about hard-to-detect malware: Microsoft discovered a malware campaign called Astaroth that used incredibly advanced techniques to escape detection. Astaroth uses system tools, such as the Windows Management Instrumentation Command Line Tool (WMIC), to impersonate system activity (a Living in the Land technique). No files are stored, but only executed in the main memory (a method without files). Astaroth is delivered via spam email with malicious links. So watch out for what you click. [ZDNet]
- Over 1
- Instagram wants to stop bullying: Instagram is testing new features to curb bullying on its platform. The first is an A.I. Process that detects when you write something derogatory and questions if you really want to post the comment. The second option allows users to reflect comments. A Shadowban hides comments from everyone except the poster without notifying them. [Instagram]
- Spotify Lite is smaller and has fewer features: Spotify's new Lite app for Android has a size of only 10 MB and is ideal for devices with limited storage space and countries with lower Internet speeds. Of course, the smaller size means fewer features. But you still get the most important part, the music, what really matters. Although it is currently available in 36 markets worldwide, the US is not one of them. [Engadget]
- Google says you can keep your stadium games: Google Stadia is incredibly fascinating. But one question (ok, many questions) was hard to find out: What happens if a game publisher ceases to support Stadia? Are you losing the game despite the money you have spent? The frequently asked questions (FAQs) from Google have been updated. In this case, you will keep your games "subject to unforeseen circumstances" (as every company wants to have room for travel). [The Verge]
- Microsoft's weird tweets were just a strange thing. Microsoft's tweets have been "strange" lately, worked on Windows 1.0 and on other setbacks . The references to 1985 have made it a likely link for Stranger Things (a show from 1985). This has now been confirmed by a theme pack and the download of the Windows 1.11 app. If you like ugly things and really love Paint, download them now. [Ars Technica]
- YouTube returns to FireTV and Prime Video is supported by Chromecast: Google removed YouTube from FireTV when the two companies fought for representation in the shops of each other. The companies promised peace, and it seems that this is finally coming. YouTube is now available on most FireTV devices (except for the Echo show). Prime Video will also receive Chromecast support today. What a time to be alive. [GeekWire]
RELATED: The three things that Google Stadia needs to conquer the gaming industry
Touch screens are virtual buttons that can be reconfigured to your needs a fantastic technology that has changed the way we live. Unless you are blind. Touchscreens are a dumb technology for anyone who can not see them – the keys lack the tactile sensation needed to locate them and determine their use.
Research wants to solve this and other problems. They work on electronic skin that could interact with touchscreens to create tactile sensations. Think of it as the vibration of your mobile phone, but on a smaller scale, you can see which direction you need to move your finger, or how hard you have to press it with your finger, to embed circuits that interact with other technologies and you can. The scientists hope that a one-day electronic skin can also give a hand prosthesis the feeling of sensation and touch. It's still a long way to go, but now it really seems possible, not just science fiction. That is true progress. [Phys.org]