Search This Blog

Showing posts with label Webcams. Show all posts

Adorcam Leaks Thousands of Webcam Accounts

 

A webcam application installed by a huge number of clients left an uncovered database loaded with client information on the internet without a password. The Elasticsearch database belonged to Adorcam, an application for viewing and controlling a few webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine found the data exposure and reached Adorcam, which secured the database. Adorcam application is specially built for the P2P IP camera series. The clients just need to enter the camera ID and password to watch real-time video from any bought IP camera on their cell phone and no complicated IP or router settings are required. 

Paine said in a blog post shared, that the database contained around 124 million rows of information for the several thousand clients, and included live insights concerning the webcam —, for example, its location, whether the microphone was active, and the name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses. Paine additionally discovered proof of the camera uploading captured stills from the webcam to the application's cloud, however, he was unable to confirm since the links had expired. 

He likewise discovered hardcoded credentials in the database for the application's MQTT server, a lightweight messaging protocol often used in internet-connected devices. Paine didn't test the credentials (as doing so would be unlawful in the U.S.), yet alerted the application creator about the vulnerability, who at that point changed the password. Paine checked that the database was updated live by signing up with a new account and looking for his data in the database. Albeit the information was restricted in sensitivity, Paine cautioned that a malevolent hacker could create persuading phishing emails, or utilize the data for extortion. 

In his report on the matter, Paine pointed out that the data contained in the database distinguished between Adorcam's Chinese clients and its clients outside of China, saying, “One interesting detail about this database was that the user information was split between Chinese users and "abroad" users. For example: request_adorcam_cn_user vs. such as request_adorcam_abroad_user. Adorcam almost certainly has breach disclosure obligations based on what appeared to be a global user base. If they had users within the EU they absolutely have an obligation.”

Flaw in Zoom app could allow Mac webcams to be hacked

Jonathan Leitschuh, a US-based security researcher on Monday had publicly disclosed a major zero-day vulnerability in the Zoom video conferencing software. Leitschuh had demonstrated that any website can start a video-enabled call through the Zoom software on a Mac with the help of a web server which gets installed by the Zoom app.

According to a report by The Verge, the server accepts the requests which the regular would not. The report further says that even if you uninstall the Zoom software, the server will still remain and it can reinstall Zoom without the user’s choice. As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.

On a Medium post published on Monday, Leitschuh gave a demonstration through a form of a link which after being clicked takes Mac users (currently using/or have used Zoom app before) to a conference room activating their webcams. He notes that this particular code can get embedded to any website and also on malicious ads or a phishing campaign.

Leitschuh further writes that even if Mac users uninstall the Zoom app, the local web server still remains and it will “happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

The Verge in its report said that they tried the flaw themselves by using Leitschuh’s demo and were able to confirm that the issue does persist on clicking the link if Mac users have used the Zoom app and have not checked a particular checkbox in settings. The link auto joins the users to a conference call with the web camera on.

As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days. According to him, Zoom does not seem to have done enough to resolve the problem. The particular vulnerability was also disclosed to both Chromium and Mozilla teams, however, because it is not an issue with their browsers, there is not much those developers can do about this.