Haelwenn /элвэн/ :triskell:
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a
localhostweb server on your machine
This is why I put in a package anything needing more than user permissions at installation time, also why I do not want something like session startup other than ~/.profile and similar (and don’t even try to edit theses or it’s a permanent ban from my sandbox(1) config).
Haelwenn /элвэн/ :triskell:
UPDATE: June 7th, 2019: There has been a regression in the fix implemented by Zoom thus allowing this vulnerability to be exploited with the video camera activated.
A regression on a FIX?! Holy shit.
Haelwenn /элвэн/ :triskell:
During this call, they promised Mozilla and me that this vulnerability would be patched well before the end of the 90-day disclosure deadline. This turned out to be false.
Well fucking done Mozilla. (I’m of course going to try it with webkitgtk)
Haelwenn /элвэн/ :triskell:
According to the Zoom team, the only reason this localhost server continues to exist is that Apple’s Safari doesn’t support URI handlers.
WebKit is able to so it would be really awkward for Safari to not have it.
Haelwenn /элвэн/ :triskell:
Oh wow… Safari actually doesn’t. Badwolf doesn’t either btw but that’s just because I have no reason to support this and I consider it to be a fingerprintable API.
Haelwenn /элвэн/ :triskell:
[Error] Refused to load https://localhost:1337/screen.png because it does not appear in the img-src directive of the Content Security Policy.
Weh.
Haelwenn /элвэн/ :triskell:
Aaaand thanks pleroma for trying to load it, lol.
Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.
All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.
