跳转到主要内容

中英对照:视频会议ZOOM的软件漏洞能让黑客操纵你的摄像头

A ZOOM Flaw Gives Hackers Easy Access to Your Webcam
来源: Bob Mok



视频会议软件ZOOM去年席卷了互联网,抢占了视频会议市场的最大份额。最近,ZOOM面临编程错误和其他安全问题,并因此受挫。有关此话题的早期文章,请点击:http://chinesenewsgroup.com/news/668647

The video conferencing software “ZOOM” took the internet by storm last year, capturing the lion's share of video-conference users. Recently, it suffered a series of setbacks relating to programming bugs and other security issues. For the previous article on this subject, please click: http://chinesenewsgroup.com/news/668647

(大中报/096.ca特稿):ZOOM最初的事件涉及它在软件安装过程中和安装之后在APPLE计算机上安装未授权软件,从而绕过了系统管理员的权限和通知。后来,人们投诉ZOOM的隐私政策,指控它没有明确告诉用户,却把用户信息转给Facebook。

The first ZOOM incidents involved unauthorized software installed on APPLE computers during and after the installations, bypassing the system administrator rights and notifications. Later on, complaints showed up regarding ZOOM's privacy policy alleging that ZOOM is not explicit about its data transfer of users' information to Facebook.

今天你也许关心的话题:

4月24日周五中午12点疫情快报 安省又新增640人确诊新冠,死亡增加50人,渥京为企业提供租金减免 加拿大各地取消夏季活动
民调显示大多数加拿大人相信新冠病毒起源阴谋论
疫情宅家期间 加拿大人支出大幅减少

想要阅读与本文有关的话题?请点击本文末的链接!



用户发现,即使用自己没有Facebook帐户,ZOOM的苹果版本也会向Facebook发送一些分析数据。

It was found that the iOS (APPLE) version of the ZOOM application is sending some analytics data to Facebook, even if ZOOM users don't have a Facebook account.

当用户打开ZOOM应用程序时,它会通知Facebook。数据包括用户的设备型号,所在时区和城市及所使用的网络运营商。用户身份暴露之后,他们就让广告商有针对性地向这些用户发广告。

Facebook is notified by “ZOOM” when the user opens the ZOOM application. The data include the user's device model, time zone, city and phone carrier used. The user's unique advertiser identifier from the device allowing companies to target a user with advertisements will also be included.

ZOOM的隐私政策说:“使用我们的产品时,我们的第三方服务提供商和广告合作伙伴(例如Google Ads和Google Analytics(分析))会自动收集一些有关你的信息”,但不会将此类活动专门链接到Facebook。 ZOOM对此表示歉意,并承诺将坚定不移地保护用户数据。此后,该ZOOM的更新版本中包含了一个解决该问题的补丁。

ZOOM's privacy policy says "our third-party service providers, and advertising partners (e.g., Google Ads and Google Analytics) automatically collect some information about you when you use our Products," but does not link this sort of activity to Facebook specifically. Once again, ZOOM apologized for this oversight, and promised to remain firmly committed to the protection of their users’ data. A patch to fix the problem was since included into a newer version of the application.



ZOOM的另一个隐私问题出在该软件的“公司目录”功能中。如果一个用户使用的电邮域名与其他人相同,该用户的信息会自动加到其他人的名下。

Another privacy issue with ZOOM lies in the software's "Company Directory" setting, which automatically adds other people to a user's lists of contacts if they signed up with an email address that shares the same internet domain (company).

该做法的目的是让拥有同样域名的人可以很容易地找到自己的同事。但是,许多用ZOOM户表示,他们使用个人电子邮件地址注册使用ZOOM,但ZOOM却将他们与成千上万的其他人汇集在一起,就好像他们都在同一家公司工作一样,结果让自己的个人信息公开。 ZOOM无法提供解决此问题的满意答案。

The intention is to make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple ZOOM users say they signed up with personal email addresses, and ZOOM pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another. ZOOM does not offer a satisfactory answer to this issue.

一些严重的编程错误还让别人窃取ZOOM用户的密码。使用ZOOM客户端时,与会人员可以通过聊天界面发送文本消息来相互交流。发送聊天消息时,所有发送的URL都将转换为超链接,以便其他成员可以单击它们,并默认浏览器中打开。ZOOM编程错误会让他人盗窃链接用户的Windows凭据。ZOOM随后做补丁解决了这个问题。

Some serious programming bugs also allow the stealing of passwords from ZOOM users. When using the ZOOM client, meeting participants can communicate with each other by sending text messages through a chat interface. When sending a chat message, any URLs that are sent are converted into hyperlinks so that other members can click on them to open a web page in their default browser. A programming bug allows attackers to steal the Windows credentials of users who click on the link. Once again, a patch was made to resolve the issue.



ZOOM的另一个编程缺陷是,使用低级用户权限的人可以向ZOOM程序中注入恶意代码,以获取最高级别的用户权限。这种做法称为“ root”。拿到root级用户特权后,黑客可以访问APPLE操作系统,从而更容易在用户不注意的情况下运行恶意软件或间谍软件。当恶意代码安装到ZOOM里后,它不会有任何提示。黑客可以通过ZOOM控制你的摄像头和麦克风,任意录制音频和视频!想象一下,如果你的摄像头和麦克风被黑客控制后的结果? ZOOM目前没有任何解决此问题的方案。

Yet another programming imperfection allows a local attacker with low-level user privileges to inject the ZOOM installer with malicious code to obtain the highest level of user privileges, known as “root.”. With root-level user privileges, the attacker can access the APPLE operating system, making it easier to run malware or spyware without the user noticing. When malicious code are injected into ZOOM, it will trick it into giving the attacker the same access to the webcam and microphone that ZOOM already has. There will be no additional prompts, and the injected code was able to arbitrarily record audio and video! Imagine the camera and microphone are controlled by a hacker? ZOOM does not offer any solutions.

尽管ZOOM声称提供终端到终端加密,但它与我们理解的并不相同。他们实际上使用传输加密,并且ZOOM自己可以看未加密的视频和音频内容。因此,当召开ZOOM会议时,你的视频和音频内容虽然不会被黑客通过Wi-Fi窃取,但ZOOM却可以。

While ZOOM claims to provide end-to-end encryption, it is not the same as what we understand it to be. They actually use transport encryption, and the ZOOM service itself can access the unencrypted video and audio content of ZOOM meetings. So when you have a ZOOM meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.

如果没有终端到终端加密,ZOOM可以技术监视私人视频会议(中国政府喜欢这一功能,ZOOM不能拒绝与中国政府合作),并且可以将会议的录像、录音卖给他人谋利。

Without end-to-end encryption, ZOOM has the technical ability to spy on private video meetings (for the Chinese government since it cannot refuse to co-operate) and could possibly hand over recordings of meetings to others for profits.



许多用户发现用ZOOM开会的安全性和使用方便不是它所声称的那样。 ZOOM使用了非标准的加密技术,这种技术有可识别的弱点。专业计算机安全人员发现,用于加密和解密会议的密钥均传到了设在中国的服务器上。这种做法让那些科技资源丰富的国家(包括中华民国)很容易地去收集会议内容。

Many users are finding out that the implementation of call security in ZOOM may not match its exceptional user friendliness. The ZOOM application uses non-industry-standard cryptographic techniques with identifiable weaknesses. It was discovered by computer security professionals that keys for encrypting and decrypting meetings are transmitted to servers in Beijing, China. Such arrangements presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China.

这个月,黑客进入了新加坡的ZOOM视频教室,向参加地理课的高中女生展示色情内容,要求她们脱衣服。 新加坡现已禁止在网上教学中使用ZOOM,直到问题解决为止。 美国伯克利中学使用ZOOM教学时遭到黑客的攻击后禁止使用该软件。 台湾的教育部门也禁止使用ZOOM,德国也限制ZOOM在其教育系统中的使用。

This month, hackers entered a ZOOM video classroom session in Singapore and displayed pornography to the High School girls attending Geography class and demanded them to undress. Singapore has now banned ZOOM in its remote classroom programs until the issues are solved. Berkeley High School in USA encountered hacking of their ZOOM video classroom sessions as well and also banned the use of the software. Taiwan's education department also banned the use of ZOOM and Germany has limited the use of ZOOM in its education system.

面对如此多的安全和隐私问题,难怪在过去的几个月中,许多用户都从ZOOM转用其他视频会议软件。

With so many security and privacy issues, it is no wonder that many users are walking away from ZOOM and turning to other video conferencing software and services over the last few months.



与本文相关文章

网友评论

网友评论仅供其表达个人看法,并不表明大中资讯网立场。评论不可涉及非法、粗俗、猥亵、歧视,或令人反感的内容,本网站有权删除相关内容。

请先 点击登录注册 后发表评论
You must be logged in to join the discussion

©2013 - 2024 chinesenewsgroup.com Chinese News Group Ltd. 大中资讯网. All rights reserved. 
Distribution, transmission or republication of any material from chinesenewsgroup.com is strictly prohibited without the prior written permission of Chinese News Group Ltd.