Zoom installer does a stupid

> When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom

> But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege


@rysiek Considering this was the company saying their product was E2E encrypted and finally had to admit it was only transport encryption (in simple terms: https) – is anyone surprised? I'm just surprised they're still around and widely used. Should have gone down the sink long ago…

· · Web · 2 · 1 · 4

@IzzyOnDroid oh nobody is surprised. It's still worth documenting their on-going ineptitude.

Sign in to participate in the conversation
Mastodon for Tech Folks

mastodon.technology is shutting down by the end of 2022. Please migrate your data immediately. This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!