I spend a good deal of my time reviewing the security of software — mainly the cryptography parts these days. I could thus tell you some stories about bad practice, but I won’t.
But today I have seen one of the worst implementations of security, and where lazy developers have simplified something, in order to make things simple for themselves. . Often security is seen as secondary, and the Zoom zero-day vulnerability is one of the worst I have seen [here].
Basically, Zoom installs a Web server on your computer, and which runs on port 19421:
meuser@MacBook-Pro-3:~/Downloads$ lsof -i :19421COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ZoomOpene 632 meuser 7u IPv4 0xae3b325b7648aa7 0t0 TCP localhost:19421 (LISTEN)
An NMAP scan doesn’t pick it up:
meuser@MacBook-Pro-3:~/Downloads$ nmap 127.0.0.1Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-09 11:52 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0047s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
88/tcp open kerberos-sec
445/tcp open microsoft-ds
548/tcp open afp
631/tcp open ipp
1023/tcp open netvenuechat
49165/tcp open unknown
But it’s there and just waiting for a connection. All you have to do is just call the local Web server (localhost) with a conference ID:
and where XXXXX is a valid conference ID. I am stunned by this. I tried it on my own machine, and found that I connected with another on-going conference:
The great worry — and the major security problem — is that someone just has to install an application on your computer, or trick you into running a script on a Web page, and they have you connected to a conference call — full audio and video. And don’t think it will go when you uninstall the software, it stays there.
And in a “Just they just say that” moment:
No other industry — apart from the software industry — would ever get away with such sloppy practices.