Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.


The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."


This article, "Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams" first appeared on MacRumors.com

Discuss this article in our forums

Data Extraction Company Cellebrite Touts New Software for Cracking iPhones and iPads Running up to iOS 12.3

Israel-based software developer Cellebrite, known for breaking into mobile devices like the iPhone to obtain sensitive data, has announced that it can now unlock any iOS device running up to iOS 12.3, which was released only a month ago.


The firm revealed the capability in a tweet posted late Friday advertising UFED Premium, the latest version of its Universal Forensic Extraction Device.

On its UFED web page, Cellebrite describes the tool's ability to glean forensic data from any iOS device dating back to iOS 7, as well as from Android devices made by Samsung, Huawei, LG, and Xiaomi.

The Israel firm describes UFED Premium as "the only on-premise solution for law enforcement agencies to unlock and extract crucial mobile phone evidence from all iOS and high-end Android devices."

If the claims are accurate, Cellebrite's tool will enable authorities to potentially crack the vast majority of smartphones currently available on the market. As Wired notes, no other law enforcement contractor has made such broad claims about a single product, at least not publicly.

Apple continually introduces improvements to the security of its operating systems in order to keep ahead of companies like Cellebrite that are always searching for flaws and vulnerabilities to exploit in order to access the data on locked iOS devices.

For example, in October 2018 Apple's successfully thwarted the "GrayKey" iPhone passcode hack, sold by Atlanta-based company Grayshift, which had also been in use by U.S. law enforcement.

Cellebrite first garnered significant attention in 2016, when it was believed the company was enlisted to help the FBI break into the iPhone 5c of San Bernardino shooter Syed Farook after Apple refused to provide the FBI with tools to unlock the device.

The FBI did not use Cellebrite's services for that particular case, but several United States government agencies do regularly work with Cellebrite to unlock iOS devices.

According to Wired's sources, Grayshift has developed tools to unlock at least some versions of iOS 12. If true, the firm is still keeping its cards close to its chest, but probably not for much longer.

Even as Apple works to increase the security of its iOS devices, Cellebrite's brazen announcement suggests the cat-and-mouse game of exploiting vulnerabilities in mobile device software will only become more competitive, as rival companies attempt to grab a bigger share of the market.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Related Roundup: iOS 12

This article, "Data Extraction Company Cellebrite Touts New Software for Cracking iPhones and iPads Running up to iOS 12.3" first appeared on MacRumors.com

Discuss this article in our forums

Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages

Apple and other tech giants have joined civil society groups and security experts in condemning proposals from Britain's cybersecurity agency that would enable law enforcement to access end-to-end encrypted messages (via CNBC).

British Government's Communications HQ in Cheltenham, Gloucestershire

In an open letter to the U.K.'s GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp urged the U.K. eavesdropping agency to ditch plans for its so-called "ghost protocol," which would require encrypted messaging services to direct a message to a third recipient, at the same time as sending it to its intended user.

Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis, published details of the proposal in November 2018. In the essay, Levy and Robinson claimed the system would enable law enforcement to access the content of encrypted messages without breaking the encryption.

The officials argued it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," and claimed this would be "no more intrusive than the virtual crocodile clips," which are currently used in wiretaps of non-encrypted chat and call apps.

Signatories of the letter opposing the plan argued that the proposal required two changes to existing communications systems that were a "serious threat" to digital security and fundamental human rights, and would undermine user trust.
"First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.

"Second, in order to ensure the government is added to the conversation in secret, GCHQ's proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.

"The overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people. The GCHQ's ghost proposal completely undermines this trust relationship and the authentication process."
Apple's strong stance against weakened device protections for the sake of law enforcement access was highlighted in the 2016 Apple vs. FBI conflict that saw Apple refuse to create a backdoor access solution to allow the FBI to crack the iPhone 5c owned by San Bernardino shooter Syed Farook.

Responding to the open letter, which was first sent to GCHQ on May 22, the National Cyber Security Centre's Ian Levy told CNBC: "We welcome this response to our request for thoughts on exceptional access to data — for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion."

"We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible," Levy said.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages" first appeared on MacRumors.com

Discuss this article in our forums

CES 2019: Arlo Unveils Ultra 4K HDR Security Camera and All-in-One Home Security System

Arlo Technologies today announced its new Arlo Ultra 4K wire-free HDR security camera and Arlo Security System, the latter of which is being billed as a comprehensive security solution for the home or business.


The HomeKit-compatible Arlo Ultra 4K HDR video camera features both color and black and white night vision via an LED integrated spotlight, a 180-degree panoramic field-of-view lens, and two-way audio with advanced noise cancelation.

The Arlo Ultra ships with the Arlo SmartHub, which will also become Zigbee and Z-Wave compatible in the second half of 2019, allowing users to control a wide range of "Works with Arlo" certified third-party smart home devices via the Arlo app.

As part of the Arlo ecosystem, the SmartHub will also support the newly announced Arlo Security System, which consists of the Arlo Multi-Sensor, Arlo Siren and Arlo Remote, to form a comprehensive security solution.


The Arlo Multi-Sensor detects windows and doors opening and closing, motion, smoke and carbon monoxide alarms, water leaks, temperature changes and more.

The battery-operated Arlo Siren features a loud siren accompanied by a red strobe light to deter intruders. Users can also enable presence simulation to emit audio sounds, such as dog barking or TV audio. In addition, a built-in melody can be activated to notify users of specific events, such as the Multi-Sensor detecting a door opening.

Meanwhile, the Arlo Remote lets owners arm and disarm the system without using the Arlo mobile app. It also features two customizable buttons that can be programed to perform specific actions, such as turning on compatible third-party lights or activating the Arlo Siren in a panic situation.

Pricing starts at $399.99 for the Arlo Ultra single-camera system, which is available now and includes a one-year subscription to Arlo's Smart Premier 30-day video history cloud storage plan. The Arlo Security System will be available in the second half of 2019.

Arlo says that support for Apple HomeKit will be available as an automatic firmware update for Arlo Ultra and Pro 2 camera systems later this quarter.


This article, "CES 2019: Arlo Unveils Ultra 4K HDR Security Camera and All-in-One Home Security System" first appeared on MacRumors.com

Discuss this article in our forums

How to Encrypt a USB Flash Drive in macOS Mojave

In macOS Mojave, you can choose to encrypt and decrypt disks on the fly right from the desktop. Using this convenient Finder option, we're going to show you how to encrypt a USB flash drive (or "thumb drive"), which is useful if you're traveling light and want to take sensitive data with you for use on another Mac.

Finder uses XTS-AES encryption, the same encryption that FileVault 2 uses to prevent access to data on a Mac's startup disk without a password. Note that the following method is only compatible with Macs – you won't be able to access data on the encrypted drive using a Windows machine.

If this is a requirement, you'll need to use a third-party encryption solution like VeraCrypt. With that in mind, here's how to securely encrypt your USB flash drive.


Attach the USB flash drive to your Mac and locate its disk icon on your desktop, in a Finder window, or in the Finder sidebar, then right-click (or Ctrl-click) it and select Encrypt "[USB stick name]"... from the contextual menu.

(Note that if you don't see the Encrypt option in the dropdown menu, your USB flash drive hasn't been formatted with a GUID partition map. To resolve this, you'll need to erase and encrypt the USB drive in Disk Utility – before that though, copy any data on the drive to another location for temporary safekeeping.)


When you select Encrypt, Finder will prompt you to create a password, which you'll need to enter the next time you attach the USB flash drive to a Mac. (Don't forget this, otherwise you'll lose access to any data stored on the USB drive!) Once you've chosen a password, verify it, add a meaningful hint if desired, and click Encrypt Disk.

The encryption process depends on how much data you have on the USB flash drive, but you'll know it's completed when its disk icon disappears and re-mounts. You'll now be able to access the contents of the USB flash drive as usual, but if you physically detach it and re-attach it to your Mac you'll be prompted to enter the password.


Note that the prompt includes an option for macOS to remember this password in my keychain. Check the box, and whenever you attach the USB stick to your Mac again you won't be prompted to enter the password and you'll have automatic access to it, just like any other drive.


If you ever want to decrypt the USB flash drive in future, right-click (or Ctrl-click) its disk icon, select Decrypt "[USB stick name]" from the contextual menu, and enter the password to turn off encryption protection.

How to Encrypt a USB Flash Drive in Disk Utility

Before proceeding, make sure you've copied any data on the USB flash drive to a safe location, like your Mac's internal disk.
  1. Launch Disk Utility, located on your Mac in Applications/Utilities.

  2. In the Disk Utility toolbar, click the View button and select Show All Devices if it isn't already ticked.

  3. Select your USB flash drive in the sidebar by clicking its top-level device name (i.e. not the volume name that's listed beneath it).

  4. Click the Erase button in the toolbar.

  5. Give the USB flash drive a name.

  6. Next, click the Scheme dropdown menu and select GUID Partition Map. (It's important to do this first before the next step, otherwise you won't see the encryption option in the Format dropdown.)

  7. Now click the Format dropdown menu and select Mac OS Extended (Journaled, Encrypted).

  8. Click Erase.

  9. Enter your new password, enter it once more to verify, include a password hint if desired, then click Choose.

  10. Click Erase once again, and wait for your disk to be formatted and encrypted.
Once the process is complete, copy across your sensitive data to the blank USB flash drive, where it will be automatically encrypted and secured with a password.


Discuss this article in our forums

Australia Passes Controversial Encryption Bill Despite Opposition From Apple and Other Tech Companies

The Australian parliament on Thursday passed controversial encryption legislation that could result in tech companies being forced to give law enforcement access to encrypted customer messages.

As we reported in October, Apple opposed the legislation in a seven-page letter to the Australian parliament, calling the encryption bill "dangerously ambiguous" and wide open to potential abuse by authorities.


Advocates of the bill, officially titled "Assistance and Access Bill 2018," argue it is essential to national security because encrypted communications are used by terrorist groups and criminals to avoid detection.

CNET provided a breakdown on the Australian bill and the three tiers of law enforcement and state agency assistance it covers:
  • Technical assistance request: A notice to provide "voluntary assistance" to law enforcement for "safeguarding of national security and the enforcement of the law."

  • Technical assistance notice: A notice requiring tech companies to offer decryption "they are already capable of providing that is reasonable, proportionate, practicable and technically feasible" where the company already has the "existing means" to decrypt communications (e.g. where messages aren't end-to-end encrypted).

  • Technical capability notice: A notice issued by the attorney general, requiring tech companies to "build a new capability" to decrypt communications for law enforcement. The bill stipulates this can't include capabilities that "remove electronic protection, such as encryption."
The Australian government insists that the laws don't provide a backdoor into encrypted communications, however Apple says says the language in the bill permits the government to order companies who make smart home speakers to "install persistent eavesdropping capabilities" or require device makers to create a tool to unlock devices.

Likewise, the joint industry lobby group DIGI, which includes Amazon, Facebook, Google, Oath, and Twitter, said they were willing to work with the government to promote public safety, but the laws could "potentially jeopardize the security of the apps and systems that millions of Australians use every day."

Apple has fought against anti-encryption legislation and attempts to weaken device encryption for years, and its most public battle was against the U.S. government in 2016 after Apple was ordered to help the FBI unlock the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

Apple opposed the order and claimed that it would set a "dangerous precedent" with serious implications for the future of smartphone encryption. Apple ultimately held its ground and the U.S. government backed off after finding an alternate way to access the device, but Apple has continually had to deal with further law enforcement efforts to combat encryption.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Complex Passcode Bypass Method Exposes iPhone Contacts and Photos in iOS 12

A passcode bypass vulnerability has been discovered in iOS 12 that potentially allows an attacker to access photos and contact details on a locked iPhone.

The rather convoluted bypass method was shared in a video by Jose Rodriguez, who has discovered iOS bugs in the past that Apple has subsequently fixed.


With physical access to the locked device, the attacker first asks Siri to activate VoiceOver, sleeps the device with the Side button, and then calls the iPhone using another device. Once the call screen shows up, the attacker taps the Message button, opts to create a custom message, and then taps the plus (+) icon in the top right.

Next, on the other phone, the attacker sends a text or iMessage to the target iPhone, whose screen is then double-tapped when the message notification appears. This causes an odd behavior in the UI, since it highlights the plus icon underneath.

After a short wait, the screen goes white and the notification disappears, but the VoiceOver's text selection box is apparently still tappable and can now be used to access the Messages interface. Following multiple screen swipes, the VoiceOver is heard to say "Cancel," which reveals the original Messages screen.


Adding a new recipient to the message and selecting a numeral from the virtual keyboard then reveals a list of recently dialed or received phone numbers and contacts. Further, if one of the numbers or contacts includes an info ("i") button, disabling VoiceOver and tapping the button shows the contact's information. Performing a 3D Touch action on the contact also brings up call and message options, along with options to Add to Existing Contact or Create New Contact.

In a similarly complicated set of steps involving an invisible user menu, an attacker can eventually access a locked iPhone's Camera Roll and other photo folders, which can then be used to add profile pictures to contact cards.

The bypass methods work on all iPhones including the iPhone XS lineup, but Apple doesn't appear to have fixed the vulnerabilities in the latest iOS 12.1 beta. Thankfully however, all of the above can be easily prevented by disabling access to Siri from the lock screen.

Concerned users can do so by navigating to Settings > Face ID & Passcode (that's Settings > Touch ID & Passcode on iPhones with Touch ID) and disabling the Siri toggle under the "Allow access when locked" menu.


Discuss this article in our forums

British Airways Website and Mobile App Suffer Huge Customer Data Breach

British Airways says it is investigating the theft of customer data from its website and mobile app over a two-week period, during which 380,000 payment cards were exposed (via The Guardian).

"From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised," the airline revealed in a statement on its website.
According to BA, travel and passport information was not accessed during the data breach, but concerned customers are being advised to get in touch with their card issuers in the first instance. The company said all customers affected by the breach had been contacted on Thursday night.
"British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice."
The airline said it was informed of the hacking by a third party, which is why it was able to continue undetected for two weeks, but the company insists that the breach has been resolved and its website and mobile app are now working normally.


Discuss this article in our forums

Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.


The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!
In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.


The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.


Discuss this article in our forums

How to Use Secure Code AutoFill in iOS 12 and macOS Mojave

Most readers will have at some point received a two-factor authentication code delivered to them by SMS text message. Many apps and websites send the one-time codes to confirm that the person attempting to log in to an account is the legitimate account holder, and not just someone using a stolen password.

Depending on how notifications are set up on your iPhone, receiving a code via text message may mean that you have to switch out from the app or website to read the message and memorize or copy the code, and then switch back to paste it or type it into the login screen manually.


To make this process less of a hassle, Apple is introducing Security Code AutoFill for iOS 12. The new feature ensures that SMS one-time passcodes that you receive instantly appear as AutoFill suggestions in the QuickType bar above the virtual keyboard, letting you input them in the passcode field with a simple tap.

If you've enabled Text Message Forwarding on your iPhone, you can use the Secure Code AutoFill feature in macOS Mojave, too. The code should appear in Safari as an AutoFill option in the relevant field as soon as the SMS is delivered to Messages on your Mac.


iOS and macOS use local data detector heuristics to work out whether an incoming message carries a security code, and Apple says the Security Code AutoFill feature does not alter the security of this two-factor authentication method.

So as long as developers craft their secure code text messages correctly, Security Code AutoFill should work in all third-party apps updated for iOS 12 and macOS Mojave, which are due for official public release this fall.

Related Roundups: macOS Mojave, iOS 12

Discuss this article in our forums