Hacker News new | past | comments | ask | show | jobs | submit login

To be that guy... forget CORS. All localhost servers have a pinned public key. The zoom.us site has the private key. It passes along a signed request. The local server then validates the signature! How is that so hard?

Oh wait, I just described CSRF!! Zoom, here is your egg. Now promptly smash it on your face; thank you.

Wouldn't that allow the token to be replayed? Attack scenario:

1. Attacker installs zoom.

2. Attacker starts to join meeting foo.

3. zoom.us creates a signed request saying "join meeting foo" and gives it to Attaker.

4. Attacker takes that signed request and sends it from attacker.com to localhost inside Victim's browser.

5. Victim's zoom native app gets the request, validates the signature, and joins the meeting.

I think it can be modified to be safe if there's a key exchange between zoom.us and the native app, and zoom.us signs the key exchange with its private key. But this seems hugely overkill compared to a simple Origin check, or even compared to a traditional XSRF token (via a cookie on localhost).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact