Image for post
Image for post

I spend a good deal of my time reviewing the security of software — mainly the cryptography parts these days. I could thus tell you some stories about bad practice, but I won’t.

But today I have seen one of the worst implementations of security, and where lazy developers have simplified something, in order to make things simple for themselves. . Often security is seen as secondary, and the Zoom zero-day vulnerability is one of the worst I have seen [here].

Basically, Zoom installs a Web server on your computer, and which runs on port 19421:

meuser@MacBook-Pro-3:~/Downloads$ lsof -i :19421

An NMAP scan doesn’t pick it up:

meuser@MacBook-Pro-3:~/Downloads$ nmap 127.0.0.1

But it’s there and just waiting for a connection. All you have to do is just call the local Web server (localhost) with a conference ID:

http://localhost:19421/launch?action=join&confno=XXXXX

and where XXXXX is a valid conference ID. I am stunned by this. I tried it on my own machine, and found that I connected with another on-going conference:

Image for post
Image for post

The great worry — and the major security problem — is that someone just has to install an application on your computer, or trick you into running a script on a Web page, and they have you connected to a conference call — full audio and video. And don’t think it will go when you uninstall the software, it stays there.

And in a “Just they just say that” moment:

Image for post
Image for post

No other industry — apart from the software industry — would ever get away with such sloppy practices.

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store