Video call with Mozilla and Zoom Security Teams Disclosed details of impending DNS expiration.Vulnerability disclosed to Mozilla FireFox security team.Updated Zoom with the suggestion from Chromium team.Vulnerability disclosed to Chromium security team.Response from Zoom Security Engineer confirming and discussing severity.Requested confirmation of vulnerability.Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched. Informed that Zoom Security Engineer was Out of Office. Contacted Zoom Inc via email with 90-day public disclosure deadline.Requested security contact via Twitter (no response).An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack. Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the ‘quick fix’ solution originally suggested. At this point, Zoom was left with 18 days to resolve the vulnerability. However, I was very easily able to spot and describe bypasses in their planned fix. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. It took Zoom 10 days to confirm the vulnerability. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. This vulnerability was originally responsibly disclosed on March 26, 2019. If you have updated Zoom to the latest version, you are now greeted with this new UI confirming you would actually like to join the meeting. The Zoom CEO has also assured us that they will be updating their application to further protect users privacy.
HACK ZOOM APP DOWNLOAD UPDATE
UPDATE - July 9th (pm)Īccording to Zoom, they will have a fix shipped by midnight tonight pacific time removing the hidden web server hopefully this patches the most glaring parts of this vulnerability. Ringcentral for their web conference system is a white labeled Zoom system.
HACK ZOOM APP DOWNLOAD MAC
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission.