ZOOM fixes their own mistake

by Volker Weber

Full story with updates here:

Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.

Mistakes were made. And quickly resolved.

Download here >

Comments

Scheinen eine automatische Übersetzung zu nutzen: Die Webbrowser Kunde wird automatisch heruntergeladen, wenn Sie anfangen oder beitreten Sie Ihre erste Sitzung Zoom und ist auch für den manuellen herunterladen.

Patrick Bohr, 2019-07-10

I'm afraid to say this does not seem to be completely correct: Zoom were first informed of the issue back in March, and it seems to have been a protracted exercise to get it resolved:

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Nick Daisley, 2019-07-10

Volker, I strongly disagree with letting Zoom off the hook this easily. The way they brushed off and disregarded @JLLeitschuh’s responsible disclosure—until the whole thing blew up in their face—shows a frightening lack of concern for proper security procedures, which is totally unacceptable for a company that is is installing persistent, internet-facing software on millions of endpoints without the users’ knowledge.

Mistakes were not quickly resolved, it took over 100 days.

They deserve to be slammed, hard, for this. Once their fixes have been deployed and independently validated, then perhaps they can be forgiven.

BTW I see they state, “We are stopping the use of a local web server on Mac devices.” That’s not reassuring. I gather there are vulnerabilities on Windows as well, and the only responsible thing to do is to shut down all of these local web servers until the problems are fully understood.

Chris Ferebee, 2019-07-10

Chris, you gather. Guilty without proof? Do you have any idea why they tried the server in the first place?

Volker Weber, 2019-07-10

I was in the POC Zoom chat with @JLLeitner, and a participant mentioned that Zoom runs a similar web server on Windows. I haven’t verified this myself. If they don’t use a web server on Windows, or are disabling it now, they could say so in their statement. They do not currently deserve the benefit of the doubt in that respect.

The reason they ran the web server in the first place is because it allowed them to offer a mechanism to join a conference with a single click from a web page, which they considered to be a competitive advantage. See, e. g., https://www.zdnet.com/article/zoom-defends-use-of-local-web-server-on-macs-after-security-report/

They are intentionally bypassing the legitimate Safari security dialog “Do you want to allow this website to open an application on your computer?” which users of other solutions have to click through.

The ZDNet article explains how they do this, using a rather clever exploit—it’s hard to use another word—with an undocumented local service running from an obfuscated location, the invisible ~/.zoom directory.

This is the sort of behavior normally associated with malware.

Chris Ferebee, 2019-07-10

Well, have they fixed it or not?

Volker Weber, 2019-07-10

Fixed, yes. But this is still a huge breach of trust - very much in line with Google's constant string of abuses for years. They do something "cute", and it's all fine - until they get caught. Then it's "oops, tee hee!" or "Yeah, but think of the convenience we provided you!"

Aside from the overall shortsightedness of the decision to implement the web server in the first place, the simple fact that uninstalling Zoom *didn't* also uninstall the web server is 100% no-go in 2019. @Chris is right - this is pure malware behavior. And completely unacceptable from a corporation attempting to paint themselves as legitimate -- especially one with an ex-Cisco guy as the CEO.

I'm a bit tired at the moment to give it much deep thought, but I wouldn't be surprised if this gets stretched a bit into a GDPR violation in the EU.

Erik Brooks, 2019-07-11

LOL. This is an attempt to make joining a video conference more convenient. So you don't have to routinely click away a dialog that nobody reads anyway since it appears all the effing time. How does that relate to GDPR?

Throwing an app in the trash bin does not "uninstall it". It just makes the visual parts disappear. You would be surprised at how many system extensions you are accumulating on your Mac over the years.

Volker Weber, 2019-07-11

Apple hat sich eines silent Updates für Zoom bedient. Das letzte Mal wurde das vor zwei Jahren gemacht.
https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

Markus Schicker, 2019-07-11

@Vowe - does Zoom collect personal data? Yes, they do. You provide consent for this when you install and use their services.

The GDPR requires that withdrawal of such consent be available, easy, and honored. Uninstalling a piece of conferencing software is the ultimate withdrawal of consent. But Zoom's web server ignores this by re-downloading it "for" you. Is this honoring withdrawal of consent?

Legally, at the very least, Zoom likely has standard secondary liability for the exploit itself to anybody who proactively "tried" to uninstall the software. But I wouldn't rule out this entire fiasco as a potential GDPR violation as well.


Erik Brooks, 2019-07-12

You don't have to rule it out, Erik. You actually have to prove it. Your opinion does not really count.

Since you read the consent what does it say about termination of contract? If you uninstall your Facebook app, you do not terminate your contract with Facebook.

I just cleaned up my Mac and removed a bunch of system extensions, one of them being a WebEx component to facilitate video conferencing. It was left behind from some webinar. It would always be running inside macOS, although I attended only one webinar?

Volker Weber, 2019-07-12

That was quick: RCE.

https://nvd.nist.gov/vuln/detail/CVE-2019-13567

Apple certainly was quick to bring down the MRT banhammer on that webserver—not a moment too soon.

Chris Ferebee, 2019-07-12

People always complain about the nanny Apple, but this is an instant, where it was really helpful to have somebody look after their customers.

Volker Weber, 2019-07-12

@Vowe - I have no plans to take Zoom to court, so I'm not attempting to prove anything. I mean, quite literally, what I originally said: I wouldn't be surprised if this gets stretched a bit into a GDPR violation.

The concern as I see it is not contract-related. With Facebook you create an account - any installation of their software is completely optional and of course has no bearing on your account or relationship with Facebook.

My question is regarding consent, and specifically in the free-client scenario. According to Zoom's terms of use, which you agree to during installation, you consent to personal data collection by using their services. This implies that if you don't use the services you don't consent to personal data collection.

Under the GDPR the means to withdraw consent must be provided as easily as it was granted. So the user thinks "I'll uninstall now..." If someone actively uninstalls the program but afterwards is still being forced to "use" it, and therefore still providing personal data to Zoom, does the user have control over consent?

To clarify: I don't think this actually *will* turn into GDPR action. I think it's extremely unlikely that anyone will actually be taking Zoom to court over this, absent proof of some theft of intellectual property caused by the exploit. Or a regulator hungry for some revenues from fines (though I don't see this happening either - the regulatory board is slammed as it is).

+1 With you and Chris on Apple.

Erik Brooks, 2019-07-12

Post a comment

Store next two fields in a cookie for you?




Use your full name and a working email address. Unless you want your comment to be removed. No kidding.

Recent comments

Armin Auth on Lenovo Thinkbook :: Review eines Nutzers at 12:04
Jan Piotrowski on Lenovo Thinkbook :: Review eines Nutzers at 11:08
Volker Weber on And the winner is ... HomePod at 09:22
Armin Roth on And the winner is ... HomePod at 09:21
Stefan Funke on ThinkPad X1 Yoga in der vierten Generation at 08:55
Jens Becker on From my inbox at 06:46
Stefan Heinz on From my inbox at 04:00
Volker Weber on Lenovo Yoga C930 :: Dieser PC wird zurückgesetzt at 16:48
Reinhard Fellner on Lenovo Yoga C930 :: Dieser PC wird zurückgesetzt at 16:39
Craig Wiseman on Gadget Reviewers vs Regular People at 14:56
Volker Weber on Neato Botvac D7 Connected :: Houston, wir haben ein Problem at 09:31
Patrick Bohr on Neato Botvac D7 Connected :: Houston, wir haben ein Problem at 09:06
Oliver Heinz on Amazon Prime Days :: Angebote nur für Prime-Kunden at 03:09
Kai Schmalenbach on Zwei Reaktionen at 15:23
Kristian Raue on Microsoft Surface Pen Stiftspitzen-Kit :: Ausprobiert at 23:10
Thomas Langel on Apple streicht alte MacBooks und senkt die Einstiegspreise :: Meine Alternative at 21:41
Dexter Ian on Android oder iPhone kaufen? Eine Antwort in 2500 Zeichen. at 16:57
Volker Weber on Android oder iPhone kaufen? Eine Antwort in 2500 Zeichen. at 14:01
Christoph Dierker on Android oder iPhone kaufen? Eine Antwort in 2500 Zeichen. at 14:00
Volker Weber on Herr Lampe hat mir ein altes Bild geschickt #dontbreakthechain at 10:46
Ingo Seifert on Herr Lampe hat mir ein altes Bild geschickt #dontbreakthechain at 10:03
Volker Weber on How do you uninstall software from your Mac? at 09:34
Sascha A. Carlin on How do you uninstall software from your Mac? at 09:26
Volker Weber on ThinkPad X1 Yoga in der vierten Generation at 08:34
Stefan Funke on ThinkPad X1 Yoga in der vierten Generation at 07:16

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 12:57

visitors.gif

buy me coffee

Paypal vowe