Package Details: zoom-firefox 0.0.3-0

Git Clone URL: https://aur.archlinux.org/zoom-firefox.git (read-only, click to copy)
Package Base: zoom-firefox
Description: .desktop file for running Zoom in Firefox
Upstream URL: None
Licenses: MIT
Submitter: Duologic
Maintainer: Duologic
Last Packager: Duologic
Votes: 1
Popularity: 0.050876
First Submitted: 2020-06-18 15:01
Last Updated: 2020-11-10 13:35

Latest Comments

Duologic commented on 2020-06-29 07:23

The URL posing the security risk has been deactivated/deleted via zoom.

Duologic commented on 2020-06-28 13:41

Fixed the checksum, updated the rel too, just to be safe.

caleb commented on 2020-06-28 10:11

Your last update broke the package because you didn't update the checksum for the script that was modified. You should be able to fix the checksum without bumping the pkgrel again because -2 isn't yet buildable so nobody will have it installed unless they fixed it manually, in which case they don't need the fix.

Duologic commented on 2020-06-27 21:52

I've just pushed a new version that should work. Internal report has been made.

Duologic commented on 2020-06-27 21:48

It is from a corporate account, I'm reporting this incident so the necessary steps can be taken for potential leaks.

caleb commented on 2020-06-27 21:27

I appreciate you being willing to fix that, but I think in this case you might have to go above and beyond just a little bit. Besides the user ID parameter that revealed itself a bit, there are a bunch of other encoded parameters being passed. Before distributing this I think it would be reasonable to expect some documentation on what data exactly was being encoded and passed. Zoom Inc. has a bad enough track record with security and privacy issues one of the main reasons to run this in-browser option as opposed to their client is that nobody trusts their code. It doesn't really help running it in the browser if we also have to cross our fingers that the data being hard coded and passed in this setup isn't tied to some other user or creating other unwanted associations.

Duologic commented on 2020-06-27 20:09

Great catch, will resolve when I get home and make sure the ID is disabled.

caleb commented on 2020-06-27 18:59

Edit: This issue appears to be addressed. The leaked info is still in history but installing the current version looks like it passes a pretty simple URL that manifestly doesn't contain any extra data.

BEWARE: This appears to have the poster's (or somebodies) zoom ID encoded in the join parameters.