ZOOM fixes their own mistake
by Volker Weber
Full story with updates here:
Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.
Mistakes were made. And quickly resolved.
Comments
Scheinen eine automatische Übersetzung zu nutzen: Die Webbrowser Kunde wird automatisch heruntergeladen, wenn Sie anfangen oder beitreten Sie Ihre erste Sitzung Zoom und ist auch für den manuellen herunterladen.
I'm afraid to say this does not seem to be completely correct: Zoom were first informed of the issue back in March, and it seems to have been a protracted exercise to get it resolved:
Volker, I strongly disagree with letting Zoom off the hook this easily. The way they brushed off and disregarded @JLLeitschuh’s responsible disclosure—until the whole thing blew up in their face—shows a frightening lack of concern for proper security procedures, which is totally unacceptable for a company that is is installing persistent, internet-facing software on millions of endpoints without the users’ knowledge.
Mistakes were not quickly resolved, it took over 100 days.
They deserve to be slammed, hard, for this. Once their fixes have been deployed and independently validated, then perhaps they can be forgiven.
BTW I see they state, “We are stopping the use of a local web server on Mac devices.” That’s not reassuring. I gather there are vulnerabilities on Windows as well, and the only responsible thing to do is to shut down all of these local web servers until the problems are fully understood.
Chris, you gather. Guilty without proof? Do you have any idea why they tried the server in the first place?
I was in the POC Zoom chat with @JLLeitner, and a participant mentioned that Zoom runs a similar web server on Windows. I haven’t verified this myself. If they don’t use a web server on Windows, or are disabling it now, they could say so in their statement. They do not currently deserve the benefit of the doubt in that respect.
The reason they ran the web server in the first place is because it allowed them to offer a mechanism to join a conference with a single click from a web page, which they considered to be a competitive advantage. See, e. g., https://www.zdnet.com/article/zoom-defends-use-of-local-web-server-on-macs-after-security-report/
They are intentionally bypassing the legitimate Safari security dialog “Do you want to allow this website to open an application on your computer?” which users of other solutions have to click through.
The ZDNet article explains how they do this, using a rather clever exploit—it’s hard to use another word—with an undocumented local service running from an obfuscated location, the invisible ~/.zoom directory.
This is the sort of behavior normally associated with malware.
Well, have they fixed it or not?
Fixed, yes. But this is still a huge breach of trust - very much in line with Google's constant string of abuses for years. They do something "cute", and it's all fine - until they get caught. Then it's "oops, tee hee!" or "Yeah, but think of the convenience we provided you!"
Aside from the overall shortsightedness of the decision to implement the web server in the first place, the simple fact that uninstalling Zoom *didn't* also uninstall the web server is 100% no-go in 2019. @Chris is right - this is pure malware behavior. And completely unacceptable from a corporation attempting to paint themselves as legitimate -- especially one with an ex-Cisco guy as the CEO.
I'm a bit tired at the moment to give it much deep thought, but I wouldn't be surprised if this gets stretched a bit into a GDPR violation in the EU.
LOL. This is an attempt to make joining a video conference more convenient. So you don't have to routinely click away a dialog that nobody reads anyway since it appears all the effing time. How does that relate to GDPR?
Throwing an app in the trash bin does not "uninstall it". It just makes the visual parts disappear. You would be surprised at how many system extensions you are accumulating on your Mac over the years.
Apple hat sich eines silent Updates für Zoom bedient. Das letzte Mal wurde das vor zwei Jahren gemacht.
https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/
@Vowe - does Zoom collect personal data? Yes, they do. You provide consent for this when you install and use their services.
The GDPR requires that withdrawal of such consent be available, easy, and honored. Uninstalling a piece of conferencing software is the ultimate withdrawal of consent. But Zoom's web server ignores this by re-downloading it "for" you. Is this honoring withdrawal of consent?
Legally, at the very least, Zoom likely has standard secondary liability for the exploit itself to anybody who proactively "tried" to uninstall the software. But I wouldn't rule out this entire fiasco as a potential GDPR violation as well.
You don't have to rule it out, Erik. You actually have to prove it. Your opinion does not really count.
Since you read the consent what does it say about termination of contract? If you uninstall your Facebook app, you do not terminate your contract with Facebook.
I just cleaned up my Mac and removed a bunch of system extensions, one of them being a WebEx component to facilitate video conferencing. It was left behind from some webinar. It would always be running inside macOS, although I attended only one webinar?
That was quick: RCE.
https://nvd.nist.gov/vuln/detail/CVE-2019-13567
Apple certainly was quick to bring down the MRT banhammer on that webserver—not a moment too soon.
People always complain about the nanny Apple, but this is an instant, where it was really helpful to have somebody look after their customers.
@Vowe - I have no plans to take Zoom to court, so I'm not attempting to prove anything. I mean, quite literally, what I originally said: I wouldn't be surprised if this gets stretched a bit into a GDPR violation.
The concern as I see it is not contract-related. With Facebook you create an account - any installation of their software is completely optional and of course has no bearing on your account or relationship with Facebook.
My question is regarding consent, and specifically in the free-client scenario. According to Zoom's terms of use, which you agree to during installation, you consent to personal data collection by using their services. This implies that if you don't use the services you don't consent to personal data collection.
Under the GDPR the means to withdraw consent must be provided as easily as it was granted. So the user thinks "I'll uninstall now..." If someone actively uninstalls the program but afterwards is still being forced to "use" it, and therefore still providing personal data to Zoom, does the user have control over consent?
To clarify: I don't think this actually *will* turn into GDPR action. I think it's extremely unlikely that anyone will actually be taking Zoom to court over this, absent proof of some theft of intellectual property caused by the exploit. Or a regulator hungry for some revenues from fines (though I don't see this happening either - the regulatory board is slammed as it is).
+1 With you and Chris on Apple.
