Earlier this week, a security researcher disclosed an exploit showing that websites could use Zoom’s video chat software to start your webcam and record without your permission. Now Apple is removing Zoom’s web server from all Macs automatically.
Zoom, a video chat service wanted to provide convenience. It designed its software to join a video chat and start your webcam just by clicking on a link. But then Safari, Apple’s browser, released an update to prevent exactly that behavior. Instead, you would confirm that you wanted to start your webcam.
So Zoom decided to work around that problem and installed a local web server on Macs that could bypass the security check, in the name of convenience. That entire concept is problematic, and as shown by Jonathan Leitschuh, a bad actor could easily create a website that would autojoin you to a call and start your webcam.
Worse yet, uninstalling Zoom from your Mac doesn’t remove the web server. Which meant it was easy to force a reinstall of the software, again without your permission.
Zoom promised to make changes and apparently, Apple stepped in to help. Apple released a silent update that removes Zoom’s web server from your Mac. The process is automated, and you won’t need to do anything. That should keep anyone who likes Zoom safer on MacOS. However, the autojoin feature still affects Windows. [TechCrunch]
RELATED: Zoom Lets Websites Start Filming You Without Your Consent, Even on Windows
In Other News:
- Microsoft’s latest Insider update includes passwordless sign-in: Microsoft is moving forward with Insider testing, and the latest update includes some interesting additions. In addition to expanding Your Phone to work with more Surface devices, the company is testing a new passwordless sign-in option. It essentially forces all Microsoft accounts on a PC to use Windows Hello, which should make login a little smoother. [Microsoft]
- A former Tesla employee admits uploading source code to iCloud: Guangzhi Cao, a former Tesla engineer, left the company to work for Chinese EV startup Xiaopeng Motors. He worked in Tesla’s Autopilot division, and before he left uploaded Autopilot source code to iCloud. Tesla has accused him of stealing the code to take to his new company, although Xiaopeng Motors denies any knowledge of the theft. Cao claims he deleted all the files he uploaded to the cloud. [The Verge]
- Microsoft is closing Remix3D.com later this year: Microsoft is closing Remix3D.com later this year: Microsoft is retiring Remix3D.com on January 10, 2020. The company introduced the site as part of a 3D push in its Windows 10 Creators Update. Much like TVs, 3D in Windows never took off, and now it seems to be winding down slowly. [Thurott]
- Pale Moon browser’s older download versions infected with malware: Pale Moon, a fork of FireFox, announced that hacker breached its archive server. The server provided links to older versions of the browser, and the hackers added malware to those downloads. The goal seems to be stealing your cryptocurrency. Chalk it up to another reason not to use a Firefox fork. [ZDNet]
- Google shut down the Nest Apple Watch app: Do you use your Apple Watch to control your Nest thermostat? According to Google, probably not. The company says very few people used the app, and so it removed Apple Watch compatibility in the latest update. [9to5Google]
- White Hat hackers tried to take down ransomware criminals, but it’s a draw: White Hat hackers tried to use a Denial of Service attack to prevent the spread of ransomware, in a novel approach to a growing problem. They noticed parts of how the ransomware spread and attacked were predictable and tried to advantage of that vulnerability. Initially, it worked, but the bad hackers just updated the software. Nice try though. [Ars Technica]
- Apple disabled Walkie-Talkie from the Apple Watch following exploit: Following the disclosure of an exploit, Apple disabled the Walkie-Talkie feature on the Apple Watch. Details are scarce, but it seems with the right set of steps a bad actor could use Walkie-Talkie to listen to your conversations without you knowing. Apple promises to fix the problem and reenable the feature down the road. [9to5Mac]
RELATED: What Are Denial of Service and DDoS Attacks?
Forty years ago today, July 11th, NASA’s Skylab space station fell back to Earth.
Post a Comment Blogger Facebook
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. As the comments are written and submitted by visitors of The Sheen Blog, they in no way represent the opinion of The Sheen Blog. Let's work together to keep the conversation civil.