This Zoom Vulnerability Gives Hackers Full System Control
HTML-код
- Опубликовано: 8 сен 2024
- In this video I discuss to recent Privilege escalation vulnerabilities that have been discovered in Zoom and their failures to properly fix them.
Link to Patrick Wardle's slides from his talk at Defcon about this.
speakerdeck.co...
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my RUclips channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.
![ARGENTINA vs. CHILE [3-0] | RESUMEN | ELIMINATORIAS SUDAMERICANAS | FECHA 7](http://i.ytimg.com/vi/De3AWmXzhuA/mqdefault.jpg)
Just goes to show the insanity of having a closed-source client. If you think free software is BS and want to protect your IP you can still open-source your client at least. There is no reason not to take free help when you still have control over your own servers.
Log4j
it being closed source didn't make it harder/easier to audit than an open source software, you audit both the same way, rarely do you ever catch serious vulnerabilities by skimming source code. also according to the Linux Foundation open source software tends to be less secure and has more vulnerabilities overall, usually due to maintenance, lack of time/skill which can occur anywhere in the dependency chain
This has nothing to do with closed source
Stop pushing that idea already, it's just as bad with open sourced sometimes
It's entirely software developers being software developers doing stupid fucking dumb shit
@@pushqrdx not to mention the compiler could be bugged, and that would never show in the random app's source code.
@@pushqrdx well, that kind of shows what the difference is, doesn't it. Lack of time and skill. If a large company opened up the source for their client then people could quickly patch bugs. Smaller projects with fewer eyes would still be vulnerable.
I still don't understand why everyone flocked to use this for their videocalls instead of something from microsoft or google. Because atleast then I'd have a little more faith in big tech keeping their spyware more secure rather some random company that I've never heard of. This glows red tbh
ye, ms and google already have my info, now zoom does too
At least MS/Google can code
@@y00d Lmao if you've truly experienced the cobbled together mess that is Windows registry nowadays you wouldn't say that.
Google Meets sucks, it is bugging very frequently maybe that's why less people are using it...
Why zoom, Microsoft or Google
All of them are exactly same
Why not signal?
I genuinely think the school system should be sued for subjecting children to closed-source software. It's not the government's right to subject things we have no real way of knowing what it does to our children.
You should look at the egregious shit modern "teachers" will teach kids in public school systems.
Hint: They're predators.
Right and now it's done and over all the data is irrevocably online.
Our school gladly didnt allow foreign software servers so we had our own Servers in the schools basement for Email, Videocalls and even File storage
not just closed source but some violate pravacy like iboss or lockdown browser WHICH CAN CHECK IF YOU ARE ON A VM or even worse proctor u
@@shinyrayquaza9 I remember when my middle school implemented iboss.. Thank god the uefi of our high school laptops still allow you to run linux liveusbs.
Clicked for the meme thumbnail. Stayed for the info.
All these exploits and vulnerabilities, and people wonder why I refuse to run Zoom on my PC without first sandboxing it in a virtual machine.
you are the real mvp here!
Do you seriously not know that 95% of the humans don't have the mental facilities to understand and care about these things?
Imagine you keep using a bad software despite the entire industry that kept saying it's trash from security experts. People ignored the tiktok data collection for 3 years now, i guess its just natural selection by now.
Wouldn't use it if it wasn't force upon me at uni. It's been selected as default video conferencing tool for classes! And this despite the fact they also pay for MS Teams subscriptions
Unfortunately we have to work for these idiots, and they force us to run this shit. Keep a basic throwaway laptop for this.
@@deerboutin8899 true it’s the absolute WORST
imagine messing with the teacher with this during a zoom class. A tier trolling
Do it
Don’t you need access to the victim’s computer first?
Mad respect to you here. It baffles me that zoom is still making dumb security choices, especially considering the large userbase.
The constant criticism of zoom and its handling of security led me to just start using jitsi, its free, with no time limit. Best of all, I can host it on my own terms!
Keep up the good work!
It's not baffling, I'd imagine it's purposeful. It's a Chinese developed product and we're constantly in a cyber cold war with them
Of course. The world's number one "video suite" has to have vulterabilities.
@John Smith huh?
@John Smith i dont have the vulnerabilities tho
@@Anonymous4045 😂
It was vulnerable before even releasing to the public, its beyond shitware.
Skype works better still.
Now, even if I show my teachers this vulnerability, they will still force us to use this trojan with pandoras box inside!
Doubt boomers care lol
@@josephvanname3377 You technically can be ageist if you hike up the requirements for a job position.
@@markm0000 10 years carbon lang experience
Yell at the school board. The teachers don't have control of how the IT infrastructure is handled.
@@josephvanname3377
You are batshit insane
The major hole with silent automatic updates is that software authors can be hacked or just decide to sell all users to hackers.
With updates, which are confirmed by user, there is a time window, when user can read news and know that he should not install fresh update.
Nah mate automate everything with poorly coded scripts and just sit back while a group of devs in India do your job for you.
Or software authors can just be malicious.
They're not in India, silly.
They came from India but now they're already in Canada. The instant they get Canadian citizenship they're going to apply for US citizenship and then they can do their mediocre work here while taking advantage of our institutions and infrastructure.
This is why I always preferred “portable” installs on windows. I’ll choose when to update.
Snapchat…
that thumbnail is the greatest crossover of all time
I still never have used zoom. I refused to use zoom, even when my medical team was insisting on it. I kept fighting back saying that its not secure nor HIPAA compliant as stated under HIPAA and NIST. I won out and Doxy won out in the end.
Good for you. I hope you had the same stance on the new vaccines as well.
Wait somebody really named a communication company doxy? That was dumb.
@@kiloton1920 Doxy Sounds like Doxxing, it is indeed dumb
@@kiloton1920 yeah, like fantasia company in china.
This isn't a problem with proprietary software, it's a problem with the Zoom security software engineers. There are plenty of open source software which have as big exploits, and they go unaddressed for years. Open source is NOT a panacea for security, but I'll take the transparency. People seem to conflate transparency with security, and they are not the same even if it helps.
Most closed source companies hire people whose background is (almost) entirely comprised of open source experience. GIGO.
I hate the one line “fixed a boog” software release note. Your Home Alone parallel is both hilarious and accurate.
I have a VM dedicated entirely to Zoom, and it doesn't feel like overkill at all.
yeah probably no
At this rate everything needs a separate vm, including real life
@@ghost-user559 yes even real life
@@galaxybolt1748 yes. I have a couple people in mind I wouldn’t mind running in a VM, probably most people if I had enough head-Ram
Gotta usw a VM for every single Google search
7:34 Well, when you are FORCED to use this crappy on your job you have no option against that, so it's not because people are okay with that, it's because people are literally forced to be ok with that and install it on their machines.
At this point, zoom is basically just a backdoor you install on your own.
There goes my ex-girlfriend's Zoom Classes and her Privacy (smh naughty girl)
Zoom glows so bright that I need sunglasses
It is worth noting for everyone that is forced to use Zoom for their work or school, you don’t actually need to install the app to join Zoom meetings.
After you click “download/ install”, your browser will download the installer file, but you can simply delete that. A new button will appear that says “having trouble? join via browser” and then you can hop on the meeting from your browser.
This browser version is somewhat lightweight and has some limited features (no background on video, etc.) but it saves the trouble of installing a vulnerable app.
Thanks
I refuse to install it, and actively avoid jobs that require me to install proprietary hogwash.
Well aren’t you just so lucky. Not everyone can be as picky as you.
It's probably a design feature but for corporate board members and government officials only
Pretty depressing how people flock to this garbo service when there are alternatives
Many are weaksauce and basic. Especially management...
When I was finishing up school during the pandemic, if I needed to use zoom, I installed it minutes before the meeting, did the meeting, then immediately uninstalled. Same goes for those proctoring browsers. I'm so glad I'm done with school now.
I've heard those things leave traces on your system even if uninstalled. The only way to fully get rid of them is a clean reinstall of the OS.
You can join zoom from the browser
@@blemmyes Or you can just sandbox it in a VM.
@@prototry Doesn't work well with proctoring browsers, unfortunately.
A lot of companies security patches recently have been poorly done. It's concerning when the security patches have a security vulnerability or introduce even more.
Finally an all in-one reference material for all my hopelessly optimistic colleagues.
I only run zoom on windows vm’s. I’m so glad I got into virtualizing and using linux as my base OS
Wow, who would have guessed that a program headed by someone from China would have these kinds of variabilities?
This is one of the reasons why I got out of IT. Something is seriously not right with our infrastructure. Pull up Wireshark and install a Alexa on your network.
@@markm0000 yeah any wifi enabled “smart device” which isn’t fully open source or better yet free software is likely just a massive front to spy on people
@@markm0000 never "listening" always "hearing" love the big tech bs.
muh chynah has nothing to do with it. vulnerabilities like this are caused by corporate greed and hubris, which leads to closed source software like this
least sinophobic amerimutt. let me guess, you are cucking for ukraine too?
lmao why do these big applications have so many vulnerabilities these companies got enough money to hire many extremely talented devs
because the stock value is more important than the software's security
@@MentalOutlaw What if I told you the true value in a software product isn't its public facing value, but the data it collects. Brands, companies, and stocks come and go but there's a certain group of people that know how to exploit the system. The rabbit hole never ends.
It takes time to write good code. Time start-ups don't have as they quickly put together third party libraries to get things running as soon as possible so investors can start seeing some numbers.
They're obviously built this way on purpose. It happens too much and I fully believe that the majority of malware and ransomware attacks, and so on are tech industry insiders. Why else would it be like this? In b4 glowies
Because users usually do not care. Which mean they will still pay money to company.
When they get disappointed by bad software quality _and_ stop giving money, then companies will start improve quality.
The most imporatnt question is : what are the alternatives, with the emphasis on security. Obviously, open source.
Jitsi Meet
@@UnixOath my teacher made sure the entire school would use jitsi instead of zoom back when the pandemic started
there's BBB(Big Blue Button) used by the uni im going to next month, its OSS
jitsi meet
telling my teacher 2 years ago that zoom was a bad choice due to it being not open source, vulnerable, made in china, being essentially a trojan (...), still insisted to use it because "no other app has the features zoom has, plus she didn't encounter any problems using it"
I remember when covid made people scramble for Zoom and always wondered why that one became the de facto choice...
Its cheap and works. That's about it.
Probably it's simple interface.
@@theepicduck6922 i present to the public: all other options that are FREE, not cheap and work
How long until Easy Anti-Cheat gets added to this software
All low-level anti-cheats are bananas.
It's superbly easy to bypass Easy Anti-Cheat.
@@kiyoshi6247 It is superbly not.
@@cd-yx3nv Laughs in arms race.
Anything that has “auto updates” is anti freedom imo. If you don’t have control over a piece of software updating or not. You don’t have control of it at all
I would only be for forced updates. Like you can't use the software unless you update. Just thinking from a dev point of view.
@@AJ213Probably that's fascist AF dude. How about if you had to leave your house because a builder on the other side of the world came up with a safer™ way to build so now your house has to be brought up to code before you can use it?
@@freedustin it always depends on the project. If you are not paying for it, you don't own it for proprietary software. Getting a forced update that makes things worse on RUclips sucks, but I didn't pay for this why should their developers have to support a user like me using older versions?
Sure yeah I agree with your random analogy when it applies to certain types of software. But you really can't compare a home to a dumb free to play idle game on your phone. Maybe something like an operating system you pay for though. Not all software is equal.
Exactly. There’s a difference between companies needing to support older versions of their free web browser or video conferencing app, and companies being obliged to support customers who purchase expensive perpetual licenses.
@@AJ213Probably see I might care about your argument but I am always paying for it so....eat it. I'm gonna pirate your shit and you can't stop me, I got a license with every piece of blank media I bought since the piracy tax (thousands.)
And "support a user like me using older versions."
There is no support WTF you talking about? You just made that up, there is no support required for me to run the old RUclips app on my phone, and in fact I have not updated that in years and Google has lost zero cents from that and it still works. Why would they pay to support the old working version? It still works, there's nothing wrong with it.
And lets not even get into how they offer it for free from the beginning so that was always on them. It's not my responsibility to make their business model make sense and profit, not my job.
I got a zoom ad on how to secure your zoom call in 4 ways, hilarious ?! Literally after this video ended.
Please make a video about the Monero update that was released yesterday which increases the ring size for the first time and makes the transactions even more private
Astounding how the good people at Jitsi can do so much more with so much less
fun fact Turkish government used it
@@takipsizad sounds awful
That's why I always run zoom in a browser
Ffs, why did companies and schools decide to trust Zoom? It might be the shittiest piece of software out there right now, so many shady things, so many vulnerabilities...
I'd even be fine with other proprietary meeting software, as long as it's not as shady and unsafe as Zoom is
Corrupt government using media influence to pick winners and losers so they can invest "wisely."
Zoom was around for what...a week before ZOOM logos were put on every sporting event on TV?
Obligatory reminder Jitsi met exists and doesn't ask you to install a client to desktop. All browser-based.
Correct me if I’m wrong but I thought verifying a signature meant unencryting some from of test with the public key?
Why even bother checking anything if you don’t require any secret
Oh man if only twomad could've had access to this back during his class bombing days
my first year of college just began last week, the timing is funny.
I remember, back when we still had online classes, that every teacher would use Big Blue Button (open-source and self-hosted) - and they were also supposed to do that - and then there was my German and Latin teacher being like "Let's use Zoom" and literally no one liked it, I'm glas I was able to use the web client, but it wanted to always download the stupid Windows installer.
I'm daily driving Linux now and I can also use KVMs if there's evil spyware application that I'm forced to use. Plus I can just turn off my webcam by disabling the kernel module for it if I want to (I have a laptop so no unplugging), since they always wanted you to turn on cameras and forced you to do it, even if they aren't allowed to do that, even by law (so they basically did some illegal stuff. Amazing teachers...)
The good thing is that I only encountered BBB after this. From an "it just works level", I wished they would've used Discord, but BBB is pretty good too.
I have never used Microsoft Teams - from what I've heard from friends, it's just a bit less pain than Zoom - but I did use (and am still using) GSuite/Google Drive applications like Google Docs, Presentations, etc. and it is pretty solid. Google Meet seems pretty solid too, but I'd probably prefer Big Blue Button, since you host it yourself and thus can customize it and don't rely on Google services directly.
But still, I will never understand why suddenly almost all teachers were like "Let's use Zoom!!! :O ", while there's a thousand better alternatives. True privacy gigachads would've used self-hosted Matrix or Signal for group calls I guess lol
Discord is shit tbh, nice Features but Bad privacy
Discord 'doesn't sell data'
They sell full access of their servers to shareholders like tencent.
@@thomas.thomas very sh it, ffs just update your electorn package
@@DeeezNuts what does that have to do with an electorn package?
@@thomas.thomas they use an old version which is why the app is a piece of s in linux, without mentioning security issues
Humans on appstores exist as a hivemind. # of downloads, star ratings, and comments saying "it works for free" are the pillars of excellence for most people. We live in a chaos theory realm where inferior products rise to the top arbitrarily.
I feel vindicated for sticking to browser based versions.
Especially when the clients are bloated electron apps.
Sure browsers can have vulnerabilities, but at least it’s a known point of failure.
Slack and Teams are bloated webviews, but Zoom is pretty fast, it's just insecure.
The home alone part was pretty good.
Vague changelogs are my biggest pet peeve in security.
Watching your videos is always very informative and interesting
Bruh hackers still finding vulnerabilities in it even after 99% of the worlds population forgot the software even existed
@im calling saul nah im good bud
Open source? Zoom's devs : ''Never heard of that''. Plus pikachu face.
Legendary thumbnail
I can proudly say I clicked on this video 5seconds after it was uploaded
Based and zoomerpilled
Thank you for properly pronouncing daemon! Drives me nuts that people ignore the spelling...
lmao i like the way you used d(a)emon slayer images. Please keep making these great videos
I like that the first link on zooms website is Support. In extra big. Like they know they’re software is trash
I absolutely LOVE that Mac OS requires users to manually update software 90% of the time, because like you said, users are stupid and rarely go through the effort to manually do updates, and that usually makes it so incredibly easy for me to find a quick an easy hack entry point into most Mac OS systems!
I'm confused ..you're saying that you can scan a system based on software and not the usual running protocols?
I don't blame the hacker in the thumbnail, I would love to join that call too.
The nezuko deamon face as soon as you said "force" 😂
Aw man I love these videos. For some reason you’re hilarious to me Im like cracking up every video
Nice intro, i swear you was thinking _"Oh shit here we go again..."_
0:40 nice version number
Ive just been doing work changing my webrtc conferencing feature into a lobby studio system like streamyard.
If my school uses zoom again, I'm going to join on a dummy account and stream this video to the ENTIRE class.
good night, new delhi time
I like how outlaw just puts up an anime demon when referencing software daemon
Hey man the NSA put alot of work into this be respectful
It's Chinese..
Unrelated, but it's funny as how often I see software installation instructions for a RHEL based system start with "setenforce 0" or telling you to disable selinux entirely. When selinux is there for exactly this purpose, when an application is full of holes, the system can still keep things compartmentalised and contained within a set context.
thats why zoom has been updating non-stop for past 6 months. im tired of my company computer restarting
one of your best thumbnails
haha this is awesome just say the Defcon talk for this exploit and now i'm seeing it here.
This is why I use the browser version
How did it ever become the “standard” when there were already more established video communication platforms???
Right?? Like my Uni made me use it when all of our stuff is Google based. We should’ve just used Google meet or something
Dude you have such a great sense of humor. I love these vids.
That under-qualified unsupervised unpaid intern who is getting assigned to all bug-fixes... RIP
and this is the main reason I've isolate VM's; thanks for sharing this information, as always very good content with memes and fun.
This is why you should make VM’s or use sandboxing software on any piece of software that actively communicates with other people, I don’t care if it’s zoom or discord.
Hope you had a good CON!
Fascinating video. Thank you.
But what do you recommend for businesses that require an established platform for video calling? Teams is what we currently use. I’d love to use FOSS but unknown names can be off-putting for clients.
What people need to know regarding apple developer accounts to get their signing certificates. Their login system is 100 years stuck in the past and crap. No Yubikey for logins. Hackable Phone authentication and crap security questions. leading to companies getting their developer accounts hacked.
I remember about the time people started using zoom en masse post-covid there were a bunch of reports of shady things happening with that app, there's no way I would ever use this, and if I was forced to, I'd try to do so in a virtual machine at the very least before I even knew about this vulnerability.
And this still wont be enough for people to switch to Jitsi.
Its biggest issue is goverment agencys are forcing people to us it for school and court so that could explain why its not geting patched it seems very glowy indeed I can say that my local government are exploiting Zoom in the open its a big enough issue that I got a new ssd to remove it from my pc because just uninstalling it isnt enough they were still in my pc I could see it in ip trace log still connecting to my pc
I upgraded my mom to Mint due to problems on Winblows. Everything is perfect on her device now except that her branch of the business but the business requires her to use ZOOM. Yes I am disappointed, not in her but the business.
I suggest creating a VM with Windows 11 to use Zoom and passthrough the webcam. Only turn it on for the meeting and nothing else.
@@markm0000 that's what I do for school. works perfectly
@@markm0000 i don't advice an win 11 VM
win 7 or win10 at max
@@takipsizad It doesn’t matter what version of Windows you use. If it’s in a VM it won’t get to your data.
Thankfully when I rarely need to use Zoom and other crapware, I've been running them through a VM. Appreciate the setup guide for Windows KVM btw :D
I tell people to send an email if they want to communicate with me. No video conferencing, no SMS, and no stupid social media apps unless it is 100% encrypted from end-and-end and never gets stored on a server expect as a transport way point. Any non-scheduled, unapproved, inbound voice calls go to voicemail /dev/null, that is, I ignore it and let it expire.
Huh - in my own installer/verifier, I don’t have either of the first two discussed vulnerabilities, and I’ll be the first to admit: I’m half-assing it.
- verifies resource checksums against the server before using them - signatures are still a thing, but if the server doesn’t recognize the checksum on a file, the client axes the file. This happened every single launch.
- evaluates bundle checksums while unpacking (classic swap-after-verify isn’t possible). Honestly, I didn’t do this for security, I did this for performance. Why read big files twice when you can get by with reading them once?
- doesn’t run privileged - even if it gets pwned, you only get normal user access. Granted, that’s a foot in the door, it’s still not access to anyones Crown Jewels.
nope, not interested in hiring out for these guys - I’m half-assing it, they need someone who will take security seriously. That’s not me.
Now I know why daemon is a different spelling for demon.
Mossberg, Ruger, and Beretta is my favorite home security vendor.
I'm not surprised, given that you still cannot copy text from the chat window..
I guess I'll use the web version from now on...
Just in time for school, thanks Zoom
i dont rlly understand what any of this means but it seems important
I just want to point out the false equivalence at 7:35. Stating what security fixes/attempts you made in public versus to one person in private.
Can you imagine what kind of freakish ai they are feeding every zoom call in the world to and for what reason?
Probably a robot like auto from wall e.
that's called skynet, look it up for real.
It is extremely trivial, as you can pause process and then you have all time in a world (or as long as you power)
I would rather eat my own arm than download and install Zoom. Liked commented and shared even without your end jingle because you already have me trained
Thanks for the heads up
scary since my uni has zoom SSO and forces us to use it for classes if they are online...
The advantafe of running proprietary bullshit in a vm is they only gave access to exactly what u give them