Zoom's zero day leaves behind a mess

Zoom, the video conferencing app that went public for billions of dollars back in April, has a serious vulnerability that allows users to be forced into video calls without their permission. But, it's also the weirdest side-door into an app I've ever seen.

A researcher discovered the flaw, which begins with the Zoom app installing a web server on your macOS computers, and was able to cripple your machine by overwhelming it with bogus traffic to that undocumented server. That part is fixed, but Zoom is not fixing the other problem: adding you to calls without your consent.

The video call issue exploits that local server, which is a hack designed to make it easier to join a call by sending you to a local URL. would join you to a call with your webcam enabled, no interaction required. That's something of a nightmare—and it even works if you just embed an iframe with a specially crafted URL into any website! 

Zoom hasn't fixed this issue, which if you click this link, you'll be launched into a call with your video on (if you use a Mac). Instead of addressing the issue, Zoom simply says they "give their customers power to choose how they want to Zoom." In other words, they don't care about your privacy.

Perhaps the most dastardly part of this discovery, however, is that the web server Zoom drops on a Mac is not removed when uninstalling—it stays active in the background, secretly. That server magically reinstalls the software without user interaction if you ever click a Zoom link, which in my mind, is the definition of a virus.

Removing that backdoor is non-trivial, requiring a terminal command to get rid of it, which is beyond most users' capabilities. Even scarier, it's still unclear what the server actually does, and whether or not it's collecting other data behind the scenes, a concern the researcher mentions as well.

Zoom has millions of users, so dropping a quiet, undocumented backdoor on their computers is unacceptable, and a massive liability in the long term. I'd be surprised if we don't see Apple reprimand them, or revoke their security certificate, in the coming weeks.

This is the first time we're learning about the existence of this secret server, and Zoom continues to stand by the fact that they use this method—if I were them, I'd be afraid of the next researcher not being as friendly, but rather, exploiting it at scale. Sounds like the perfect way into a few million business devices, if you ask me.


Tab Dump

British Airways received a record £183m fine for data breach under GDPR
Your data has a price attached, and GDPR was designed to actually provide recourse against tech companies that don't take care of it. British Airways was compromised in 2018, exposing the data of 500,000 customers to attackers. It's unclear if individual users will be paid out, but the fine values user data at about £36 a pop.

Superhuman's "fixes" don't actually solve the tracking problems
Last week, Superhuman was accused of violating people's privacy with secret tracking pixels, which got the internet in arms. It addressed the issue a few days later, but Mike, who uncovered this in the first place, is back with a sequel about the fact that the issue isn't really solved at all.

Instagram's new tools for bullying help encourage better behavior
This is an interesting set of new tools for helping discourage bullying on social media, with small nudges in the right direction rather than outright blocking. One of the new features uses AI to detect offensive comments, and delays posting the message with a simple note: "are you sure you want to post this?" That small nudge, it turns out, helps encourage people to undo their comment. More of these ideas on other social networks, please?

How Facebook tracked and fought hoaxes about itself, using a tool called Stormchaser

Two years on, the WannaCry malware is still active in thousands of networks—only held back by a researcher's "kill switch"
And, best of all, this researcher maintains that kill switch out of mostly good will. If it ever went away, these companies would be devastated.

The FBI and ICE have found a gold mine for facial recognition: your driver's license