A serious zero-day vulnerability has been disclosed in Zoom video conferencing app on the Mac.
Security researcher Jonathan Leitschuh, in a Medium post, detailed the flaw that could let websites hijack your Macâs camera and âforciblyâ join you to a Zoom call without your permission.
Zoom is one of the most popular cloud-based enterprise communication platforms that offers chat, video and audio conferencing, and options to host webinars and virtual meetings online. About four million of its users are on Mac.
The vulnerability takes advantage of a pretty simple feature that gives Zoom users an easy way to dial into video conference calls with the tap of a link â something like https://zoom.us/j/999999999, where â999999999â is a random nine-digit meeting ID that expires once the meeting ends.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
â Matt Haughey (@mathowie) July 9, 2019
This ensures that as long as the Zoom app is running in the background, if you open the meeting link on your browser, it automatically launches the Zoom client on your Mac.
Leitschuh found this functionality was not securely implemented. Not only can a user be auto-joined to a Zoom video conference call by merely clicking on the meeting link, this works even if you no longer have the Zoom app installed.
Itâs because when you install the Zoom app, it also installs a web server locally to accept meeting requests. The troubling part here is that post uninstalling the app, the server still persists and can re-install the app without requiring your intervention.
Letâs not overlook the root of the problem here: Zoom designed their application so the person controlling the meeting decided if your video camera is on, NOT YOU.
This was done on purpose by their product designers.â PlaneOnSecurity (@SwiftOnSecurity) July 9, 2019
This effectively means, in order to exploit this vulnerability, all an attacker needs to do is create an invite link through his account on Zoom, embed it on a website as a malicious ad, and just lure the target into visiting that website.
The camera, however, can be turned off if you have ticked the option âTurn off my video when joining a meeting.â
Leitschuh originally disclosed the flaw on March 26, 2019, but he mentioned the first actual meeting about how the vulnerability would be patched occurred on June 11, 2019, only 18 days before the end of the 90-day public disclosure deadline.
The timeline in the Medium post shows that Zoom fixed the vulnerability on June 21. But a regression earlier this month caused the bug to resurface again, prompting Zoom to fix the issue yesterday.
Heads up @zoom_us:
The fix for the security vulnerability that impacts ~4 million of your users has regressed.
90-day public disclosure deadline was June 24th.
Iâm going public tomorrow.
This is unacceptable.â Jonathan Leitschuh (@JLLeitschuh) July 7, 2019
âZoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the userâs video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site,â Leitschuh wrote.
The idea that any website you may visit from Mac has the capability to activate your video camera by default via an unauthorized Zoom call is alarming. Zoom has responded that it doesnât see âvideo on by default as a security vulnerability,â and that it allows users to set their own video preferences.
Zoom also said it developed the local web server as a workaround to changes that were added in Appleâs Safari browser that prompted Zoom users to confirm if they want to launch the app each time they clicked on a meeting link.
âThe local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting,â the company said â meaning Zoom essentially sidestepped browser security mechanisms to solve what it calls âpoor user experience.â
As a solution, the company â which went public earlier this April â plans to roll out an update this month that will save usersâ and administratorsâ preferences to turn on/off video when they first join a call.
But users who choose to keep the video option on will continue to be susceptible to malicious third parties as the company isnât looking to fundamentally change the appâs behavior on Macs.
Instead the onus will be on you to turn your camera off by default.
Itâs evident that Zoom has a tough problem on its hands as far as its Mac users are concerned â but it clearly isnât doing a good job of keeping them safe from unsolicited calls, as bad actors could trick them into clicking links and enabling their video streams.
The company would do well to think of a better way to address this than leaving it up to users to prevent this from happening.
Update on July 10, 9:30 AM IST:Â In a surprise reversal, Zoom has decided to kill its controversial practice of using a local web server on Macs devices. It has also pushed an emergency patch to remove the server completely, but it acknowledged it didnât currently have an easy way to uninstall both the client and the server.
âWe do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client,â Richard Farley, Zoomâs chief information officer, said.
âThe user needs to manually locate and delete those two apps for now. This was an honest oversight. As such, by this weekend we will introduce a new Uninstaller App for Mac to help the user easily delete both apps,â he added.
On Tuesday, the company had defended its use of a local web server, stating it enables users to join the meeting without having to do an extra click to get into a meeting. It also said it was a âlegitimate solution to a poor user experienceâ due to changes Apple introduced in Safari 12.
Get the TNW newsletter
Get the most important tech news in your inbox each week.