Thank you Dev for sharing this constructive information.<br><br>On Thursday, July 11, 2019, Dev Anand Teelucksingh <<a href="mailto:devtee@gmail.com">devtee@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div><div>The security researcher Jonathan Leitschuh who publicly disclosed the Zoom security vulnerability has noted that depending on your browser setting on whether to always open Zoom links with the associated app is on, a malicious webpage (that could be hthanidden in a iframe) can automatically launch Zoom with your camera enabled without asking. This is true for Windows as well as for Mac for Firefox and Chrome browsers. <br></div><div><br></div><div>As he noted in his tweet at <a href="https://twitter.com/JLLeitschuh/status/1149123386855104516" target="_blank">https://twitter.com/<wbr>JLLeitschuh/status/<wbr>1149123386855104516</a> <br></div><div><br></div><div>Here is a Proof of Concept Link to see whether Zoom will autolaunch with your camera and mic enabled : <a href="https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html" target="_blank">https://jlleitschuh.org/zoom_<wbr>vulnerability_poc/zoompwn_<wbr>iframe.html</a></div><div><br></div><div>If your browser settings are set to always these type of Zoom links with the associated app, you <b>will</b> be automatically launched into a Zoom conference with your camera enabled. <br></div><div><br></div><div>How to prevent Zoom from auto-opening Zoom links on a webpage : <br></div><div><br></div><div>In Mozilla Firefox, <br></div><div>
<li>1) Click the menu button <span>
<img alt="Fx57Menu" src="https://user-media-prod-cdn.itsre-sumo.mozilla.net/uploads/gallery/images/2017-10-22-15-37-15-18c775.png" title="">
</span> and choose <span><span>Options</span>.</span>
</li><li>2) <span>In the <span>General</span> panel, go to the <strong>Applications</strong> section.</span>
</li></div><div>3) Search for the Content Type <strong>zoommtg</strong> and select it. <br></div><div>4) Click on the Action column in the <b>zoommtg</b> row to change the action to "<b>always ask</b>"</div><div><span>/<a href="http://twitter.com/JLLeitschuh/status/114912338685510dsds" target="_blank">twitter.com/JLLeitschuh/<wbr>status/114912338685510dsds</a></span><div><img src="cid:ii_jxyu0p6s1" alt="firefox-turning-off-automatic-open-zoom.png" width="520" height="425"></div><div><br></div><div>In Google Chrome: <br></div><div><br><br></div><div>This is harder for Google Chrome which saves such settings in a preferences file which isn't accessible from the browser. <br></div><div><br></div><div>From <a href="https://support.google.com/chrome/answer/114662" target="_blank">https://support.google.com/<wbr>chrome/answer/114662</a> <br></div><div><br></div><div>"Chrome allows external applications and web services to open certain
links. For example, certain links can open a site like Gmail or a
program like iTunes. If you set a default action for a type of link but
want to delete it, <a href="https://support.google.com/chrome/answer/2392709" target="_blank">clear your browsing data</a> (<a href="https://support.google.com/chrome/answer/2392709" target="_blank">https://support.google.com/<wbr>chrome/answer/2392709</a>) and select "Cookies and other site data." <br></div><div><br></div><div></div><div>Here's the more "hacky" way:</div><div></div><div>1) Navigate to chrome://version/ and find the path listed under "Profile Path".<br></div><div>2) Quit Chrome, open that directory, and then open the "Preferences" file. This will appear be a long line of text in a text editor. <br></div><div>3) Look for the string <code>"zoommtg":false</code> or <code>"zoomrc":false</code>. If it either exist, remove them. If there is a comma immediately after either string, remove it as well.<br></div><div>4) Save the file.</div><div>
</div><div><br></div><div></div><div>
<p>Visit Jonathan Leitschuh's Proof of Concept page at <strong> <a href="https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html" rel="nofollow" target="_blank">https://jlleitschuh.org/zoom_<wbr>vulnerability_poc/zoompwn_<wbr>iframe.html</a></strong> to see if your browser asks to open Zoom.
<br><strong></strong></p><p></p><p>This is what you will see in Mozilla Firefox :</p>
</div><div><div><img src="cid:ii_jxyvv6zc2" alt="firefox-ask-to-launch-zoom.png" width="541" height="341"><br></div></div><div><br></div><div>and this is what you will see in Google Chrome:</div><div><br></div><div><div><img src="cid:ii_jxyvzxo73" alt="chrome-ask-to-launch-zoom.png" width="541" height="165"><br></div></div><div><br></div><div><br></div>
</div></div>
</blockquote>