<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thanks for wiring in. But a Larger Question here is that I am not able to understand - this is ICANN why we have ben on Zoom on the 1st Hand - While we are trying to legitimize the entire Internet and then we are trying to correct the uncorrected and while we are trying to keep it transparent - isn’t ICANN also responsible for this kind of Non-Disclosure at the time of the license agreement ? <div class=""><br class=""></div><div class="">Also, as a Public Policy & Statutory Subject Expert, if zoom wasn’t aware of this, then it is opening themselves up to a liable and a “Digitally non responsible” enterprise tag. I am surprised - I suppose, from a a Charter Prespective, ICANN’s procurement procedure mandates full disclosure of conflict, and this is surely one. Now that Icann is a Private Body, why does it not PUBLICALLY send a notice of Clarification to ZOOM for intentionally omitting material facts at the time of signing of the contract - which in turn will be binding on ICANN for disclosure - to the entire Commercial / Non Commercial Community (of Users) (or Potential Users) legally carrying a foot note in the service of Zoom that a issues is - please keep a watch and we are fixing it. </div><div class=""><br class=""></div><div class="">In both the cases - One is Hiding Material Evidence and the other Supporting this case, not caring about the community at large. </div><div class=""><br class=""></div><div class="">AND BEST PART IS - we are so worried that we have Blocked Domain Name WHO IS INFORMATION - in the name of privacy :-) Its the same community who recommended it. </div><div class="">Dosen’t really matter, does it ??</div><div class=""> </div><div class="">Alas, we are all living in a world of gray areas. We like twisting our tails and sining our songs as the weather changes, we also change our allegiences !</div><div class=""><br class=""></div><div class="">Warm regards,</div><div class="">-VA</div><div class=""><a href="http://VaibhavAggarwal.com" class="">VaibhavAggarwal.com</a> </div><div class=""><a href="http://Twitter.com/TheVaibhavAg" class="">Twitter.com/TheVaibhavAg</a></div><div class=""><a href="http://Youtube.com/+VaibhavAggarwalIndia" class="">Youtube.com/+VaibhavAggarwalIndia</a> <br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Jul 10, 2019, at 4:20 PM, Rubens Kuhl <<a href="mailto:rubensk@nic.br" class="">rubensk@nic.br</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""></div>VA,<div class=""><br class=""></div><div class="">It's customary in the information security practice to not disclose vulnerabilities before a solution is provided by the software author, in order to better serve public interest. And this process was followed in this case by both the security researcher that identified it and Zoom and Zoom itself, but in the end it was clear that Zoom was not willing to change the architecture to really solve the problem. That made the security researcher disclose the vulnerability at the end of the customary 3-month period, which forced Zoom's hand and starting version 4.4.4 release 53932 it seems to be solved now. See <a href="https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-Mac-OS" class="">https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-Mac-OS</a> . </div><div class=""><br class=""></div><div class="">You can read more about responsible disclosure in <a href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md" class="">https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md</a> . </div><div class=""><br class=""></div><div class="">Zoom trying to downplay the severity of this vulnerability is indeed a problem; it was not low risk, and their attitude of thinking that prevented they fixed it in time, requiring a 0-day attack to be disclosed before they actually plugged the hole. Fixing people is harder than fixing software, and the handling of this does not bring any confidence to how they will handle other vulnerabilities in the future. The full recap published by the security researcher is worth reading:</div><div class=""><a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5" class="">https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5</a></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Rubens</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 10 Jul 2019, at 01:47, Vaibhav Aggarwal, Catalyst & Group CEO <<a href="mailto:va@bladebrains.com" class="">va@bladebrains.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Dear Priscillia,<div class=""><br class=""></div><div class="">I appreciate your response. But this is too little and too late. If there was a Vulnerability, why were we not informed earlier as a customer / User. Secondly, I will need to understand what is the extent of this vulnerability. By Saying “Low risk Vulnerability” it is clearly showing that you are not willing to elucidate and want to either brush it under the carpet or ignore or underplay the risk. </div><div class=""><br class=""></div><div class="">This is a mandatory disclosure you need to do as it is my privacy at stake. This is Super Important. </div><div class=""><br class=""></div><div class="">Regards,</div><div class="">-VA</div><div class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Jul 10, 2019, at 2:44 AM, Priscilla McCarthy <<a href="mailto:priscilla.barolo@zoom.us" class="">priscilla.barolo@zoom.us</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi there Vaibhav,<div class="">Thank you for your email. These are low-risk vulnerabilities that apply only to Mac users, and we have drafted a blog post discussing them. We are updating our service tonight and this coming weekend. When you see prompted updates, you should update your Zoom app to ensure your security. Here is more information: <a href="https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/" class="">https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/</a></div><div class="">Thank you!<br clear="all" class=""><div class=""><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><table cellpadding="0" cellspacing="0" style="font-family:sans-serif;line-height:1.5;box-sizing:initial;max-width:580px;color:#363636;border-collapse:collapse;" class="">
<tbody class=""><tr class="">
<td valign="top" class="">
<table width="440" cellpadding="0" cellspacing="0" style="font-family:sans-serif;line-height:16px;width:440px;border-collapse:collapse;color:#333;" class="">
<tbody class=""><tr class="">
<td valign="top" width="64" style="padding-right:15px;" class=""><div style="margin: 0.75pt; line-height: 0px;" class="">
<a href="https://zoom.us/" class="">
<img src="https://smart.zoom.us/v2/imagebucket/zoom.us/Camera_Icon.png" alt=" " style="border:0;display:block;border-radius:0px;" class="">
</a>
</div>
</td>
<td valign="top" width="361" class="">
<table cellpadding="0" cellspacing="0" width="361" style="font-family:sans-serif;line-height:16px;width:361px;border-collapse:collapse;color:#333;" class="">
<tbody class=""><tr class="">
<td valign="top" class=""><div style="margin: 0.75pt; color: rgb(51, 51, 51); font-size: 12px; font-family: Arial, sans-serif; font-weight: 700;" class=""> Priscilla Barolo </div>
</td>
</tr>
<tr class="">
<td valign="top" class=""><div style="margin: 0.75pt; font-size: 12px; font-family: Arial, sans-serif;" class="">
<span class="">Manager, Communications</span>
</div>
</td>
</tr>
<tr class="">
<td valign="top" style="padding-bottom:4px;" class=""><div style="margin: 0.75pt; font-size: 12px; font-family: Arial, sans-serif;" class="">
<span class="">Zoom Video Communications</span>
</div>
</td>
</tr>
<tr class="">
<td valign="top" class=""><div style="margin: 0.75pt; font-size: 12px; font-family: Arial, sans-serif;" class="">
<span style="color:#333;font-weight:700;" class="">Call</span>
<a href="tel:650-438-9456" style="text-decoration:none;color:#333;" class="">650-438-9456</a><span style="color:#B7B7B7;font-weight:700;" class=""> | </span>
<span class=""> </span>
<span style="color:#333;font-weight:700;" class="">Click</span>
<a href="https://zoom.us/" style="text-decoration:underline;color:#0D89FE;" class="">zoom.us</a>
<span style="color:#B7B7B7;font-weight:700;" class=""> | </span>
<span style="color:#333;font-weight:700;" class="">Zoom</span>
<a href="http://zoom.us/j/650-438-9456" style="text-decoration:none;color:#333;" class="">650-438-9456</a>
</div>
</td>
</tr>
<tr class="">
<td valign="top" style="padding:7px 0 2px;" class="">
<table cellpadding="0" cellspacing="0" style="font-family:sans-serif;line-height:13px;width:auto;border-collapse:collapse;color:#333;" class="">
<tbody class=""><tr class="">
<td valign="top" width="26" style="padding-right:4px;" class=""><div style="margin: 0.75pt;" class="">
<a href="http://www.facebook.com/zoomvideocommunications" class="">
<img width="24" height="24" src="https://smart.zoom.us/v2/imagebucket/zoom.us/facebook.png" style="border:0;" class="">
</a>
</div>
</td>
<td valign="top" width="26" style="padding-right:4px;" class=""><div style="margin: 0.75pt;" class="">
<a href="http://www.twitter.com/zoom_us" class="">
<img width="24" height="24" src="https://smart.zoom.us/v2/imagebucket/zoom.us/twitter.png" style="border:0;" class="">
</a>
</div>
</td>
<td valign="top" width="26" style="padding-right:4px;" class=""><div style="margin: 0.75pt;" class="">
<a href="http://www.linkedin.com/company/zoom-video-communications-inc-/" class="">
<img width="24" height="24" src="https://smart.zoom.us/v2/imagebucket/zoom.us/linkedin.png" style="border:0;" class="">
</a>
</div>
</td>
<td valign="top" width="95" style="padding-right:4px;" class=""><div style="margin: 0.75pt;" class="">
<a href="https://zoom.us/referrals" class="">
<img width="101" height="24" src="https://smart.zoom.us/v2/imagebucket/zoom.us/refer-friend.png" style="border:0;" class="">
</a>
</div>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
<tr class="">
<td class="">
<table cellpadding="0" cellspacing="0" align="center" width="440" class="">
<tbody class=""><tr class="">
<td cellpadding="0" cellspacing="0" height="1" style="line-height:1px;min-width:147px;" class="">
<img src="https://smart.zoom.us/v2/imagebucket/zoom.us/1x1.png" width="147" height="1" style="display:block;max-height:1px;min-height:1px;min-width:147px;width:147px;" class="">
</td>
<td cellpadding="0" cellspacing="0" height="1" style="line-height:1px;min-width:147px;" class="">
<img src="https://smart.zoom.us/v2/imagebucket/zoom.us/1x1.png" width="147" height="1" style="display:block;max-height:1px;min-height:1px;min-width:147px;width:147px;" class="">
</td>
<td cellpadding="0" cellspacing="0" height="1" style="line-height:1px;min-width:147px;" class="">
<img src="https://smart.zoom.us/v2/imagebucket/zoom.us/1x1.png" width="147" height="1" style="display:block;max-height:1px;min-height:1px;min-width:147px;width:147px;" class="">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
<br class=""><br class="">
<a href="https://smart.zoom.us/v2/a/zoomtopia19/5d2503c401ca44fa0d942282-OjqXg/httpszoomtopia.us" class=""><img src="https://smart.zoom.us/v2/a/zoomtopia19/5d2503c401ca44fa0d942282-OjqXg/logo.png" width="400" style="border-style:none; width: 100%; max-width: 400px; font-family: sans-serif; color: #ffffff; font-size: 20px; display: block; border: 0px;" border="0" alt="zoomtopia19" class=""></a></div></div><br class=""></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 9, 2019 at 12:20 PM Vaibhav Aggarwal <<a href="mailto:va@thevaibhav.com" class="">va@thevaibhav.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;" class="">Dear Eric,<div class=""><br class=""></div><div class="">I am in receipt of this following email content : </div><div class=""><br class=""></div><div class="">Hey - remember when ICANN switched everyone from Adobe over to Zoom as a way of enhancing information security and data privacy?<div class=""><br class=""></div><div class="">"A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission... This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day."</div><div class=""><br class=""></div><div class="">Read more here: <a href="https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5" target="_blank" class="">https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5</a></div></div><div class=""><br class=""></div><div class="">Please Clarify if my privacy at risk. And the steps taken to protect my privacy.</div><div class=""><br class=""></div><div class="">Regards,</div><div class=""><br class=""></div><div class="">Vaibhav Aggarwal</div><div class="">New Delhi, India</div><div class=""><a href="http://vaibhavaggarwal.com/" target="_blank" class="">vaibhavaggarwal.com</a> </div><div class=""><a href="http://twitter.com/thevaibhag" target="_blank" class="">twitter.com/thevaibhag</a></div><div class=""><a href="http://youtube.com/+vaibhavaggarwalindia" target="_blank" class="">youtube.com/+vaibhavaggarwalindia</a> </div></div></blockquote></div>
</div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">Gnso-newgtld-wg mailing list<br class=""><a href="mailto:Gnso-newgtld-wg@icann.org" class="">Gnso-newgtld-wg@icann.org</a><br class=""><a href="https://mm.icann.org/mailman/listinfo/gnso-newgtld-wg" class="">https://mm.icann.org/mailman/listinfo/gnso-newgtld-wg</a><br class="">_______________________________________________<br class="">By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>