Jonathan Leitschuh Medium

Zoom's zero day bug bounty write-up  ↦

By now you’ve probably heard about Zoom’s zero day bug that exposed 4+ million webcams to the bidding of nefarious hackers. Security researcher Jonathan Leitschuh shared the full background and details on InfoSec Write-ups:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However…

If you use Zoom or if you’ve EVER installed Zoom, read Jonathan’s write-up and take appropriate action to update Zoom or to remove the lingering web server it leaves behind. Confirm if the server is present by running lsof -i :19421 in Terminal.


Discussion

Sign in or Join to comment or subscribe

Jerod Santo

Jerod Santo

Omaha, Nebraska

Jerod co-hosts The Changelog, crashes JS Party, and takes out the trash (his old code) once in awhile.

2019-07-10T18:06:53Z ago

I launched it today and saw an update available. I installed it. lsof doesn’t show anything listening on that port, so I assume the update removes the web server component?

Adam Stacoviak

Adam Stacoviak

Houston, TX

Founder and Editor-in-Chief of Changelog. Hacker to the heart.

2019-07-11T19:14:52Z ago

Apple has pushed a silent Mac update to remove the lingering web server Zoom leaves behind ~> https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

Apple said the update does not require any user interaction and is deployed automatically.

Also, what is this magic auto-update system Apple speaks of? Anyone else aware of that being a thing? They can just write new software to my OS??

0:00 / 0:00