Spooky23, a former guest of a Holiday Inn also used by elite NSA Hackers, discovered that if you walk into a remote worker's home while they are engaged and distracted by a Zoom meeting, you can physically pick up the laptop and throw it out the window. In most cases, this will result in a denial of service.
Zoom has not made a fix available at this time. Users can work around this threat by securing any nearby windows.
If your computer is compatible, you'll get a pop-up advertisement during your next PowerPoint presentation to buy a Fenestration Penetration add-on pack that helpfully comes with a free un-installable copy of Bejeweled.
But before you install, you have to give Microsoft a copy of your DNA that it can sell on to marketing companies. Microsoft needs this "telemetry" to improve its software, otherwise everything will break.
This is funny, but I don't think the issue should be so quickly dismissed.
The machine must already be compromised for this vulnerability to be useful, but doesn't necessarily mean it isn't a problem. A good security model uses layers to reduce the impact of successful attacks. This vulnerability potentially enables an attacker to escalate their privileges, bypassing some of those layers and compromising the machine further.
This article probably overstates the problem (maybe don't use "doom" in the headline next time, even though it rhymes) and there are plenty of examples of worse vulnerabilities, but that doesn't excuse this one.
This seems like a security bug, but not exactly a high risk one considering it requires you to actually have possession of the computer.
Presumably if you have possession of the computer and are able to exploit this bug, you could do any number of other things anyway...
Zoom might have issues but if I were to list them, this wouldn't be high on / make the list. Obviously they should fix it, but of all the things, not sure this one is front page worthy.
This should be exploitable on the local network. This is a network share vulnerability.
I suspect there was a nasty mis-translation. The article should have said "local network", but it was strip down to "local" and gets mis-interpreted as "local computer".
Wow. They literally just phished me. I was distracted while installing Zoom and didn't look too carefully.
I'm genuinely quite angry about this. I never enter passwords into 3rd party apps - I've had arguments with companies who embed oAuth flows into their app about this.
It's a real system dialog popped by the OS when the install script requests superuser privileges. It's not fake, and the password goes to the OS, not the script.
You are the first person I've seen to know enough about the OSX APIs to know that it is real. I went back to look at the twitter thread and only saw (certainly could've overlooked) one person who was saying that it is real.
Thanks for clearing that up, though I must say they (Zoom) bring this upon themselves by having such a poorly worded dialog.
Maybe try to read the blog post https://objective-see.com/blog/blog_0x56.html instead of a Twitter thread. People trying to glean information from truncated 140-char messages (often written in the most attention-grabbing way possible) is one of the main reasons why Twitter is full of misinformation.
From the HN guidelines: Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."https://news.ycombinator.com/newsguidelines.html
"Maybe try to read the blog post" can be easily replaced with a less patronizing and just as informative "It's in this blog post".
You have good points to make, they don't need the vitriol to be taken.
I've tried googling and didn't see any blog posts. 140 chars is certainly enough for someone to link that :). Anyway, thank you for making me and others aware of this blog.
Me too. I swear they are stretching "vulnerability" to the point of stupidity. So, if a Hacker gets into your Zoom Meeting (itself a problem) and sends you a link, and you click it, bad things happen? Why, send out the hounds to any thing that has clickable links. Better boycot web browsers too while we're at it. Because the problem here isn't a clickable link, what if someone copy pastes it? Is that a zoom vulnerability too? The issue is Microsoft allowing SMB to the internet by default, or bad IT config allowing it to the net by default. The password problem is Microsoft STILL using insecure auth mechanisms there. NONE OF THIS has ANYTHING to do with Zoom or e-mail or a web browser IMO.
Oh, if you're already hacked in enough to run code on MacOS, you can grab the camera with Zoom. Or, you know, use any of many methods to do that I'm sure. The problem, and the reason for HIPS / AV / security solutions is to stop running "hacker code". If I'm running arbitrary code on your Mac, I don't need Zoom to grab a password.
Now, the bad installer methods used on MacOS - yes, those should not happen and ought to be fixed. I think it's the big problem, no one gets paid for a secure system, but one that people can use. Security just causes issues sadly, and making it possible for the most incapable computer user is why everyone loves Zoom for "just working". That sadly incentivizes them to try and work around security roadblocks, which is bad.
We have to use it too (lectures), I wasn't too concerned, bc this is just another web-app, isn't it...
Well - it is (judging from the exe-tar which mainly include a QT-webview...), but like in 2003 they expect you to download and execute random crap unsandboxed. Wheew...
Makes you wonder what was Apple thinking when they designed this security feature? Any app can spoof a system-looking dialog and ask for the password. Not sure about about a better way tho.
It’s not a spoofed dialog, it’s the app asking the system (using a rather dangerous API) to ask you to grant access. It’s a legit system prompt. The app doesn’t see your password. It’s like sudo rm doesn’t give your password to rm. Can we stop the misinformation?
Is this contrived? The security risk may be overstated in the headline, but it definitely seems like a problem.
Regarding the hatred for Zoom... I'm sure a lot of people feel the same as me. I'm tired of having to install and trust yet another native app just to perform a task I've been able to easily do with countless other solutions for well over a decade. I understand why Zoom in particular has found recent success, but it's still annoying.
Zoom's recent surge in popularity also probably draws a lot of attention from cynics and skeptics.
It's especially relevant to me and my family; as the room-moms in my children's classrooms want to use Zoom to set up playdates so the kids from the classroom can interact, since they really miss each other (and don't get to see each other otherwise).
None of this is contrived; and all of it is serious when you're the parent of a school age child.
Shitting on people pointing out concerns with/exploits in zoom appears to be this week's low latency path to more upvotes no matter how serious the claim is.
Every zoom post I've read here has at least one highly-upvoted comment about "hey everyone lay off zoom". Why? Why should we give a company that millions are now using for the first time a break? Why should we ignore issues with software that tons of people are now using and potentially opening themselves up to danger?
I use zoom, I used to before the pandemic and I've used it with friends since multiple times. I'm not some anti-zoom, burn it all down type. That said I think issues with it warrant a discussion and there is a reason these things are upvoted: because millions of people are now using it and are unaware of the risk they are taking.
I wonder if many even read the article. I wouldn't shit on the fact that there are vulnerabilities but if I score these . However, telling people "if you care about your security and privacy, perhaps stop using Zoom” is a wee bit hyperbolic. When I score these using CVSS 3 I come up with a Medium vulnerability. Here's the vector string for the first vuln that I scored 6.5- CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
My first experience with Zoom was the installer opening, telling me it was going to perform a pre-install check to see if the software could be installed, then immediately closing without explanation. It turns out it installed everything immediately without even telling me. This immediately set off alarm bells and made it feel like it was malware.
It's actually using this deceptive phrasing to install (literally, copy) all its files directly into /Applications instead of going through the standard Mac OS install flow.
I'm typically very out of the loop on things but is there any particular reason HN seems to be hell bent on shitting on Zoom this week. Don't recall seeing this much vitriol for a particular product in a while.
Due to quarantine remote working, a lot of people are obliged to use Zoom. To some Zoom has a reputation of not taking security seriously, so they feel forced to compromise the security of their computers. Personally I think this reputation is justified.
You can access Zoom meetings through a pure web interface without installing anything. The experience is somewhat reduced.
And to get to the pure web interface you'll have to either know the magic URL or fight some more dark patterns, because they really want you to install their software.
EDIT:
OK (2) may be a real system prompt - https://twitter.com/DigitalResist0r/status/12452813782932807...? I didn't see anyone else in the twitter thread claim that it was using a real system dialog, so I'd still say it was poor practice of them to have such a shady looking system dialog.
With more and more of the world, and especially Silicon Valley, being locked-down and quarantined, video conferencing is obviously going through the roof and Zoom seems to be winning. It's just getting a lot of attention, and any flaws are suddenly more impactful.
On the one hand, all the attention (if pride is removed from the equation) should be win-win since remote workers might end up less spied on or hacked and zoom still makes a huge profit.
But in answer to "why is HN shitting all over Zoom", I think the answer is "because they aren't doing good enough".
There's no malice there (on the posters' side). If Zoom does better people won't have cause for shining a flashlight on their data privacy policies or security holes. We will see if Zoom grows up fast, since the momentum towards them is already so large I don't see it changing prior to the Fall when schools might risk re-evaluating their tools.
judging from their past behavior towards security researchers they have done nothing that deserves responsible disclosure. responsible disclosure starts with responsible QA by the vendor.
Just went and confirmed, in Skype for Business it does not launch the executable but rather opens explorer to the share and highlights the .EXE. So, anyone operating that share will still be passed your creds, but it doesn't launch the executable.
Testing in zoom, it launches the OS prompt to confirm .exe launch. Tested in Windows 10.
No hyperlink in any reasonably-authored messaging app is both going to download+run an .exe file without confirmation AND send your credentials to the remote server without prompting. It's absurd behavior
LPE has always been trivial on OS X... for the longest time, the passwordless-sudo timeout was not specific to the tty. So all you had to do was wait for someone to use sudo, and you would be able to get root.
Unless I misunderstood, the escalation prompt only appears if you’re a non-admin user performing the install, and you still need to possess and enter admin credentials in the prompt to do anything at all.
Outside of paranoid nerds who refuse to use an admin account day-to-day (I’ve only heard about this kind of people online, yet to meet one in meat space), who uses their Mac like that? (Genuine question.)
I've seen schools do this. My old high school had macbook airs available for checkout at the library, as well as the desktops used for printing. Obviously the student user did not have admin access, and a student could trivially gain it using this method, opening up the systems to all sorts of nasty stuff.
The key here is the user needs to possess admin credentials; the prompt itself is just a prompt, think sudo/su. I fail to see why random students would have admin credentials.
Oh, ok I didn't read the original article thoroughly. The user still needs to give it the admin password, but the installer can be modified to also execute arbitrary code as the root user.
These are valid attacks for bypassing Gatekeeper on macOS, but they're not root-level privilege escalations attacks (the user still needs to enter a password) and they don't provide remote code execution.
It does show that whoever manages security at Zoom should go back to school though. Operating system security features are not an obstacle but a tool. Trying to work around them reminds me of the age of IE6 toolbars and "system optimisers" who won't let you uninstall them.
> The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer.
TechCrunch got this wrong. "Local" means local privilege escalation, as opposed to "remote" code execution. They do not require physical access.
That being said, local privilege escalation on a single user computer where that user is an admin (most Macs), isn't a massive problem in my mind. It would allow malware, once run by the user, to bypass security prompts usually required to elevate access.
If Zoom was done well it would be a confined app, and controlling the Zoom process wouldn't give you access to everything the user has access too, let alone allow easy root privesc. It's just rubbish software.
I am aware of what responsible disclosure is; Patrick Wardle doesn't really care for it because he prefers writing up his blog posts as it gives him a chance to speak. But even putting aside his personal flaws, Zoom should fix these issues.
why would he or anyone else. they haven't exactly got a history of being open to researchers. the only way to deal with them is by either dropping 0days or selling vulns to whoever pays for them. that's totally justified given how ignorant and apologetic people are about this tire fire of a company
At this point, many people prefer to remain ignorant of the risk, so they can continue their lives without change. Just like the CV response.
Basically people don't like thinking even one step ahead. What's the consequence of millions of people exposing their private information (PDF bank statements, DOB, scans of their ID docs, etc) via something like Zoom? Massive identity theft and scamming. E.g. people are going to be asked to send money to relatives, and they'll do it. Loans will be taken out using your PII.
If you think identity theft is bad now, consider the problem when you can't go to the DMV, your bank, etc.
Countries with good digital ID programs (like Germany) and vastly more prepared for this problem.
> In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.
I feel like that's really easy to say if you're not an enterprise/big tech employee who has to use the product to maintain their employment during the quarantine.
Are there any privacy solutions out there for those of us who are required to use Zoom anyway?
You can pass a USB device (including a camera) to a VM. Then you can make sure that Zoom always has focus within the VM to protect yourself from the attention tracking functionality.
The answer is to use the web client. Either put the ID into https://zoom.us/join, or someone else on HN said that replacing '/j' with '/wc/join' in a URL will use the web client.
I think zero days are irresponsible in the best of times but releasing something like this when their devs are probably all busy just keeping their much-needed service running in times of a global crisis just seems insane.
Something that wasn't clear ("non-privileged attacker") is whether or not running the Zoom installer as a non-admin user would be sufficient for it to use its elevation mischief somehow. From what I see, it can't, because AuthorizationExecuteWithPrivileges requires an admin's credentials to do anything. But if that were the case, can you use the mac Zoom client without an admin's permission, or not?
If you don't need to give it admin credentials (and can just give it anyone's non-special password instead) and it installs to /Applications without an admin's permission, then there's a huge problem. If you do need to give it admin credentials, this still needs to be fixed (urgently, as I'm sure there's tons of one-off developer/designer macs that aren't monitored by IT and have the Zoom client on them), but that would mean the security model on OS X wasn't entirely broken by a badly written video conferencing installer.
Why are startups born this way? Why optimize for growth and CTR etc. Is there a world in which security and privacy focus (maybe sprinkle in, dare I say, social good) could be funded from the start?
These companies presumably all pivot on going public and making a crapton of money: couldn't they anticipate the need to respect the users longer term as opposed to selling them like commodity to investors and advertisers?
The worst types are the ones that advertise how good and amazing they are, and when the "tide goes out they are found swimming naked" as Buffett might say.
No one in the real world (outside of the hn bubble) actually cares about privacy, and only enterprise cares about security.
> need to respect the users longer term as opposed to selling them like commodity to investors and advertisers?
This is the opposite of the truth? There is no /market/ need to respect users, the intention is to sell them to advertisers/etc. Your comment is just conflating your personal (And hn's) moral views of privacy with how markets actually work in the real world.
Edit - I don't mean to be a dick, but you can't just push your morals on the world and say thats how the world should work.
I think this argument proves too much. It is true that most users don't care or even understand the security and privacy issues in the software that they use but that doesn't mean product developers shouldn't care. It is the precise reason that product developers HAVE to care because they in fact understand the danger (or should anyway) and should protect their users from them.
I could just as easily say that "users don't care whether we hash their passwords in our database so why waste the CPU cycles" and I would be right. The vast majority of users don't know anything about storing passwords securely, but
1. They absolutely care if their passwords get pilfered and used to access their accounts.
2. We still have an ethical responsibility to protect people from dangers that we know full well can cause them harm even if they don't understand what those dangers are.
I agree, you make a good point. In that sense maybe privacy and security could be a means to achieve something else that users do actually care about. (ex. I don't want strangers in my zoom calls, so please make them secure)
When did Zoom sell their users to investors and advertisers?
Zoom used the Facebook SDK to provide a social login button. When they discovered that the SDK sends device data over to Facebook even when users are not utilizing the feature, they removed the SDK and reimplemented it using the native browser. Almost every app on your phone that has a Facebook login option has this same privacy leak. Facebook deserves more of the negative focus here for not explicitly stating to developers that they're bundling spyware on their apps.
Every negative coverage of Zoom that I can think of has shown that its flaws were the result of its focus on streamlined/dead-simple user experience rather than any kind of advertising or selling of user data. Meanwhile people suggest alternatives from Google and Microsoft. After Facebook, I can't think of two companies that have a worse track record on privacy than those two targeted advertising companies.
Part of the hate for Zoom is from the bad reputation they have among security people from "local-webserver-gate," which (to me at least) really was an egregiously bad thing to do even if the intention was just to make the user experience more seamless.
When I was in the Seattle startup scene, I came to the conclusion that the Silicon Valley bubble had become overrun with charlatans, grifters, and amoral people only interested in making a quick buck. Pretty much any rando who grew tired of being a used car salesman could max his Visa card putting together a flashy office and a piece of craptastic demoware as a lure to hook investor money.
I think it's just a natural progression. Sleaseballs follow the money.
When flipping houses became popular, the worst kind of people starting flipping houses to make a quick buck. When day trading became popular, the worst kind of people starting day trading to make a quick buck. When software started becoming big business, the worst kind of people started pretending to be "startups" to make a quick buck.
For a more historical perspective, see also: Railroads, mining, logging, banking, shipping, etc...
Selling to the privacy and security conscious is a quick way to bankruptcy. The vast majority of the participants don't want to pay for anything, insist on open source, are never satisfied and generally don't even know much, they're just paranoid and can't distinguish between good products and bad.
The users themselves choose to patronize the businesses that optimize for growth. People don’t value security, and don’t know how to evaluate it. They do know how to evaluate the least number of clicks to get the other person’s video stream on their screen with the least number of errors.
There is no incentive for startups to focus on good security. There is also no meaningful punishment for failing to secure your product (see Equifax). No carrot and no stick = recipe for disaster.
> Zoom uses a "shady" technique — one that’s also used by Mac malware — to install the Mac app without user interaction
It reminds me of the Dropbox trick they used to get past the accessibility restrictions. The implementation is different, but it's essentially to get around all the limitations that Apple has been building into macos.
I feel like developers shouldn't have to fight the operating system.
We're in a pandemic. Telecommunications are of paramount importance to people working in emergency and others services throughout the world. So of course, security and privacy are more paramount than ever. But by releasing more and more "problems" with Zoom, it slowly forces organizations to abandon Zoom as a telecommunications option. Eventually people will not be allowed to use Zoom to do their jobs, which will make those jobs even more difficult than they already are. Social distancing by itself saves lives by keeping infection (and thus death) rates down, and this software is a critical part of making that work.
> Because Wardle dropped detail of the vulnerabilities on his blog, Zoom
> has not yet provided a fix. In the meanwhile, Wardle said,
> “if you care about your security and privacy, perhaps stop using Zoom.”
This is not the time to release 0-days in telecommunications software, people need this software to save lives.
If you work in InfoSec, or just idle in random hacker channels, please push back on this kind of behavior. It would be "irresponsible" at any other time, but in this era, it's literally life-threatening.
Can someone explain why I keep seeing Zoom on the frontpage? What sets it apart from the rest that it gets discussed on HN so often recently? Is it a YC company?
It's a spinoff of the covid crisis. The rush to remote work has made Zoom much more prominent than it was a few weeks ago. This has attracted a flood of attention, so a lot of spotlights are trained on it right now. For the same reason, we've been hearing all about ventilators lately [1]. That's not a ventilator plot, it's article moths flocking to the spotlights.
With Zoom there are compounding factors. Software, video conferencing, video conferencing software, and software businesses are all topics in HN's wheelhouse—as is anything security or privacy related. There have been security and privacy surprises (shall we say) with Zoom in the past, so people are naturally hunting for more. Also, readers are primed to pattern-match any new findings as part of the ongoing sequence. That's a strong multiplier. Familiarity reactions—cache effects, if you like—magnify how much attention a story attracts. There was a similar, though slower-motion, sequence of stories about Facebook last year.
It's not a YC company.
When there's a major ongoing story, such as the current crisis, floods of follow-up and copycat posts appear, since every website and media outlet wants in on the action. After the Snowden deluge of 2013, we learned to moderate these counter-cyclically, so that HN can surf the big waves without getting totally sogged with repetition. The test for a new submission on a MOT (Massive Ongoing Topic) is: does it contain SNI (Significant New Information) [2]? If no, we downweight the MOT. If yes, we try to have one thread about each SNI. I just made up those TLAs.
Zoom has become a MOT in its own right. You can tell that when objections like [3..9] start cropping up. The question is: is the OP a SNI?
Can we stop using and finding bugs in the close-source Zoom and direct that effort to finding bugs in the open source Jitsi (or any other open source solution) instead?
Even though it's free and open source there will be bugs and usability issues that need to be solved. If we pool our effort right we can make open source solution into "just works" solutions, reducing the need for companies like Zoom.
If you propose a new videoconf solution, and the first time a C-suite or major prospect joins the call the call buffers, or someone doesn't have the right drivers installed, or someone doesn't know how to click the link - you are absolutely getting hauled over the coals afterwards.
No one, at any company wants to get the "We're a technology company - why can't we organize a video call?" line.
Convenience is often neglected by people proposing a privacy-conscious, self-hosted FOSS alternative that merely requires you to install it from binary and configure your own Digital Ocean droplet, but it really does matter.
This is absolutely true in practice, but there are degrees. Approximately 0 people are going to go full tinfoil hat and setup their own self-hosted FOSS solution, but we absolutely should care if a product like Zoom does something like, say, installs a local web server to bypass security controls on a user's browser which can potentially open up any number of devastating remote exploits that would be easy to exploit by any script-kiddy.
The fact that most users don't care is more reason why product developers HAVE to care. I could just as easily say "only paranoid security people care if we hash their passwords in our database so why waste the CPU cycles?" And I would be right, the vast majority of users don't know anything about storing passwords securely but they absolutely care whether their passwords get pilfered by an attacker and used to compromise their account.
Spooky23, a former guest of a Holiday Inn also used by elite NSA Hackers, discovered that if you walk into a remote worker's home while they are engaged and distracted by a Zoom meeting, you can physically pick up the laptop and throw it out the window. In most cases, this will result in a denial of service.
Zoom has not made a fix available at this time. Users can work around this threat by securing any nearby windows.