Author Topic: Zoom Client Leaks Windows Login (Read 20157 times)

polonus · « **Reply #45 on:** July 21, 2020, 11:45:08 PM »

Hi bob3160,

That latest Zoom fix was for users still on Win7.
When you are still out on Win7 you have a somewhat larger problem just with that issue i.m.h.o.

Most users that endanger the Interwebz' infrastructures nowadays as always are folks that do not patch,
upgrade and update. We cannot stress that message often enough.

Let this sink in, keep your code cycles updated and fully patched, my good friends.
It's not only you that suffer but it is also you endangering others through causing such a boogaloo.

polonus

bob3160 · « **Reply #46 on:** July 21, 2020, 11:46:15 PM »

Quote from: Rednose on July 21, 2020, 10:50:06 PM

Hi Bob, how are you ?

I was just mentioning a ( smart ) alternative.

Greetz, Red.

It is an alternative as are many others. If you use this type of program very frequently, you learn very quickly that
the overall best platform for remote presentations is still ZOOM.
ZOOM has also been very quick to address any security concerns that were raised.
It is because they quickly address any security concerns, I questioned the date of this report.

bob3160 · « **Reply #47 on:** July 21, 2020, 11:49:44 PM »

Quote from: polonus on July 21, 2020, 11:45:08 PM

Hi bob3160,

That latest Zoom fix was for users still on Win7.
When you are still out on Win7 you have a somewhat larger problem just with that issue i.m.h.o.

Most users that endanger the Interwebz' infrastructures nowadays as always are folks that do not patch,
upgrade and update. We cannot stress that message often enough.

Let this sink in, keep your code cycles updated and fully patched, my good friends.
It's not only you that suffer but it is also you endangering others through causing such a boogaloo.

polonus

Any time you use outdated software which includes your operating system, you put your security at a potential risk.
It was also the users sloppy way of handling invitations that originally cause ZOOM to tighten up and prevent user stupidity.

polonus · « **Reply #48 on:** July 23, 2020, 04:11:04 PM »

But why there wasn't still a reply to this open letter sent by media watchdogs?
Re: https://ico.org.uk/media/about-the-ico/documents/2618022/vtc-open-letter-20200721.pdf

There were contacts before with development teams, so why the hesitation?

polonus

DavidR · « **Reply #49 on:** July 23, 2020, 05:36:59 PM »

Personally I thought the letter pretentious, self serving and why send as an Open Letter. To my mind you reply to an Open letter in the Open. But when talking of security/privacy no one would/should do this.

Why hasn't there been a response, why would they and how would you know they haven't as there is no reference about replies. Also when you consider the last paragraph, responses by 30 September 2020 and we are only in July 2020. I also don't see anything giving a location to respond.

Quote from: extract of letter

We welcome responses to this open letter from VTC companies, by 30 September 2020, to demonstrate how they are taking these principles into account in the design and delivery of their services. Responses will be shared amongst the joint signatories to this letter.

Highlighting is mine.

Asyn · « **Reply #50 on:** July 30, 2020, 09:31:56 AM »

Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/

DavidR · « **Reply #51 on:** July 30, 2020, 11:22:54 AM »

Quote from: Asyn on July 30, 2020, 09:31:56 AM

Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/

Quote from: Extract - Very Short Version.

I reported the issue to Zoom, who quickly took the web client offline to fix the problem. They seem to have mitigated it by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer. Therefore this attack no longer works.

So the long and 'Short' of it (excuse the terrible pun) is this is no longer an issue, until the next one comes along.

bob3160 · « **Reply #52 on:** July 30, 2020, 02:32:44 PM »

Quote from: Asyn on July 30, 2020, 09:31:56 AM

Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/

This is also old news. This security issue was addressed month ago.
Security news is important but, it should also be relevant.

Asyn · « **Reply #53 on:** July 30, 2020, 03:10:12 PM »

Quote from: bob3160 on July 30, 2020, 02:32:44 PM

Quote from: Asyn on July 30, 2020, 09:31:56 AM
Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/
This is also old news. This security issue was addressed month ago.
Security news is important but, it should also be relevant.

Check the article, it clearly says "29th July – Disclosure", so not possible to post it earlier.

bob3160 · « **Reply #54 on:** July 30, 2020, 03:17:06 PM »

Quote from: Asyn on July 30, 2020, 03:10:12 PM

Quote from: bob3160 on July 30, 2020, 02:32:44 PM
Quote from: Asyn on July 30, 2020, 09:31:56 AM
Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/
This is also old news. This security issue was addressed month ago.
Security news is important but, it should also be relevant.
Check the article, it clearly says "29th July – Disclosure", so not possible to post it earlier.

It is still old information. This was fixed months ago.

Asyn · « **Reply #55 on:** July 30, 2020, 03:19:32 PM »

Quote from: bob3160 on July 30, 2020, 03:17:06 PM

Quote from: Asyn on July 30, 2020, 03:10:12 PM
Quote from: bob3160 on July 30, 2020, 02:32:44 PM
Quote from: Asyn on July 30, 2020, 09:31:56 AM
Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/
This is also old news. This security issue was addressed month ago.
Security news is important but, it should also be relevant.
Check the article, it clearly says "29th July – Disclosure", so not possible to post it earlier.
It is still old information. This was fixed months ago.

If you're not interested, just skip it.

bob3160 · « **Reply #56 on:** July 30, 2020, 03:51:27 PM »

Quote from: Asyn on July 30, 2020, 03:19:32 PM

Quote from: bob3160 on July 30, 2020, 03:17:06 PM
Quote from: Asyn on July 30, 2020, 03:10:12 PM
Quote from: bob3160 on July 30, 2020, 02:32:44 PM
Quote from: Asyn on July 30, 2020, 09:31:56 AM
Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/
This is also old news. This security issue was addressed month ago.
Security news is important but, it should also be relevant.
Check the article, it clearly says "29th July – Disclosure", so not possible to post it earlier.
It is still old information. This was fixed months ago.
If you're not interested, just skip it.

That isn't the point. If it's old and fixed, there isn't any reason to post it is there?

Asyn · « **Reply #57 on:** July 30, 2020, 04:05:51 PM »

Quote from: bob3160 on July 30, 2020, 03:51:27 PM

Quote from: Asyn on July 30, 2020, 03:19:32 PM
Quote from: bob3160 on July 30, 2020, 03:17:06 PM
Quote from: Asyn on July 30, 2020, 03:10:12 PM
Quote from: bob3160 on July 30, 2020, 02:32:44 PM
Quote from: Asyn on July 30, 2020, 09:31:56 AM
Zoom Security Exploit – Cracking private meeting passwords
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/
This is also old news. This security issue was addressed month ago.
Security news is important but, it should also be relevant.
Check the article, it clearly says "29th July – Disclosure", so not possible to post it earlier.
It is still old information. This was fixed months ago.
If you're not interested, just skip it.
That isn't the point. If it's old and fixed, there isn't any reason to post it is there?

IMO, yes.

bob3160 · « **Reply #58 on:** July 30, 2020, 04:15:27 PM »

Just to increase the post count? It certainly doesn't pass along anything important.

Asyn · « **Reply #59 on:** July 30, 2020, 04:22:49 PM »

Quote from: bob3160 on July 30, 2020, 04:15:27 PM

Just to increase the post count? It certainly doesn't pass along anything important.

Nothing to gain in increasing my post count. Users have the right and should know about issues/bugs even after they're fixed. That's basically the same Microsoft does on patch day. Further, it's interesting to see how a company deals with such reports.

Author Topic: Zoom Client Leaks Windows Login (Read 20157 times)

polonus

Re: Zoom Client Leaks Windows Login

bob3160

Re: Zoom Client Leaks Windows Login

bob3160

Re: Zoom Client Leaks Windows Login

polonus

Re: Zoom Client Leaks Windows Login

DavidR

Re: Zoom Client Leaks Windows Login

Asyn

Re: Zoom Client Leaks Windows Login

DavidR

Re: Zoom Client Leaks Windows Login

bob3160

Re: Zoom Client Leaks Windows Login

Asyn

Re: Zoom Client Leaks Windows Login

bob3160

Re: Zoom Client Leaks Windows Login

Asyn

Re: Zoom Client Leaks Windows Login

bob3160

Re: Zoom Client Leaks Windows Login

Asyn

Re: Zoom Client Leaks Windows Login

bob3160

Re: Zoom Client Leaks Windows Login

Asyn

Re: Zoom Client Leaks Windows Login