FHIR Chat · Zoom.us on Mac Security Issue · social

Stream: social

Topic: Zoom.us on Mac Security Issue

view this post on Zulip Gino Canessa (Jul 09 2019 at 16:37):

Hi everyone, not sure if this is the right channel but I know that several groups use Zoom.us for meetings and thought I'd post this in case people haven't seen it: Medium Post: Zoom Zero Day.

TLDR: If you have ever used Zoom.us on a Mac (even if uninstalled afterward), a website can start a meeting and turn on your camera and audio. Proof of Concept linked in the article (site starts a meeting - can chat with everyone else testing it out). Has steps at end of article to address.

view this post on Zulip Brian Postlethwaite (Jul 09 2019 at 23:14):

That is quite an oops.

view this post on Zulip Ray Murakami (Jul 10 2019 at 00:36):

Zoom.us supplied the patch for it.
https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/

Maybe it would be a not-to-do in addressing EMR/EHR usability issues, either.

view this post on Zulip Dave deBronkart (Jul 10 2019 at 20:57):

Thanks @Ray Murakami . All, to apply the patch, now all you need to do is start Zoom and do Check For Updates.

Is there an award for being disingenuous and/or monumentally stupid? From the blog post about the patch:

We do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client. The user needs to manually locate and delete those two apps for now. This was an honest oversight.

That's what the patch fixed. But ... seriously?? "Honest oversight" - "Sorry, we accidentally left our web server on your computer"??

view this post on Zulip John Moehrke (Jul 10 2019 at 21:23):

relevant to FHIR community as there is rampant use of CORS -- is that there is evidence the zoom failure was caused by development team not understanding how to use CORS right --- https://fosterelli.co/developers-dont-understand-cors

view this post on Zulip Jenni Syed (Jul 10 2019 at 21:38):

People also think CORS keeps your server side secure. It doesn't, only from a specific threat (browser is the only side enforcing this security, so it's only client side...)

view this post on Zulip Richard Townley-O'Neill (Jul 11 2019 at 06:44):

The blue square with an arrow link gives a 404.
pasted image

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -