Allele Security Alert
Information Disclosure by forcing users to join a video call with the video camera active
Zoom Video Communications, Inc
Zoom Client versions 4.4.4 and earlier
Proof of concept
Remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424.
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
Zoom Vulnerability POC
Zoom Response Video-On Vulnerability
Response to Video-On Concern
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 9, 2019