Notices by Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me), page 105

Aaaand thanks pleroma for trying to load it, lol.

[Error] Refused to load https://localhost:1337/screen.png because it does not appear in the img-src directive of the Content Security Policy.

Weh.

Oh wow… Safari actually doesn’t. Badwolf doesn’t either btw but that’s just because I have no reason to support this and I consider it to be a fingerprintable API.

https://caniuse.com/registerprotocolhandler

According to the Zoom team, the only reason this localhost server continues to exist is that Apple’s Safari doesn’t support URI handlers.

WebKit is able to so it would be really awkward for Safari to not have it.

During this call, they promised Mozilla and me that this vulnerability would be patched well before the end of the 90-day disclosure deadline. This turned out to be false.

Well fucking done Mozilla. (I’m of course going to try it with webkitgtk)

@shaderphantom And I would garbage Apple for having an OS where uninstalling an application doesn’t actually fully remove it.

UPDATE: June 7th, 2019: There has been a regression in the fix implemented by Zoom thus allowing this vulnerability to be exploited with the video camera activated.

A regression on a FIX?! Holy shit.

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine

This is why I put in a package anything needing more than user permissions at installation time, also why I do not want something like session startup other than ~/.profile and similar (and don’t even try to edit theses or it’s a permanent ban from my sandbox(1) config).