Podcast Episode 28: Zoom Zero-Day Vulnerability, WP Engine Buys Flywheel, and Other News

A security researcher found vulnerabilities in the Mac client for Zoom, a popular video conferencing application. After 90 days and two weeks, the vulnerability still exists. Mitigating the vulnerability entails typing the following commands in terminal, replacing [pid]  with the process ID:

$> lsof -i :19421
$> kill -9 [pid]
$> rm -rf ~/.zoomus
$> touch ~/.zoomus

Wordfence Threat Analyst Mikey Veenstra verified that the Linux client for Zoom also will turn video on automatically, but was not susceptible to reinstall if the client had been removed.

We also cover the WP Engine acquisition of Flywheel, cPanel’s new pricing structure and what it means for hosting providers, removal of caps on .org domain names, critical security vulnerabilities in Magento, WP Statistics XSS vulnerability, a hacked ad server pushing out SEON ransomware, British Airways landmark GDPR fine, breaches and leaks of the week, amongst many other stories.

Here are approximate timestamps in case you want to jump around:
1:30 Zoom Zero Day Vulnerability
10:12 WP Engine Acquires Flywheel
19:45 cPanel pricing structure changes
23:02 .org pricing caps removed
28:30 Magento vulnerabilities
32:15 XSS Vulnerabilities in WP Statistics
35:30 Ad server hacked, serving ransomware
38:00 YouTube
40:18 British Airways GDPR Fine
42:00 Breaches of the week: MongoDB leak and leaky S3 buckets
44:50 Ruby Gem “strong_password” supply chain attack

Find us on your favorite app or platform including Apple Podcasts, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

• A security researcher has found a Zero Day vulnerability in Zoom, popular video conferencing software.
• WordPress-centric hosting provider WP Engine acquires Flywheel.
• Hosting panel provider cPanel announced pricing changes affecting hosting providers that offer cPanel.
• ICANN eliminates .org price caps affecting nonprofits using .org domains.
• Magento announced 75 security patches affecting a number of Magento versions.
• A large-scale payment card skimming campaign successfully breached 960 stores, though initial intrusion vector information is scant at this time.
• WordPress plugin WP Statistics recently patched an XSS flaw; this plugin is installed on 500,000 sites.
• A popular video conversion site, Onlinevideoconverter.com, found their ad server to be compromised and ended up serving ransomware.
• Reports that YouTube banned hacking tutorial videos concerns a number of information security professionals.
• The Information Commissioner’s Office announced a landmark fine on British Airways over GDPR concerns.
• An unsecured MongoDB database exposed 5 million records, including possibly health-related data.
• A contractor’s leaky S3 buckets affected sensitive information for Ford, Netflix, TD Bank.
• A popular Ruby gem strong_password fell victim to a supply-chain attack.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant. Please feel free to post your feedback in the comments below.