Security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. It seems that a Zoom user’s camera can be highjacked by malicious websites.
The problem exists because Zoom installs a local web server that accepts video call requests. What’s worse is that uninstalling the app does not delete or uninstall the server, which can then reinstall Zoom without user intervention.
According to Jonathan Leitschuh, the researcher who discovered the security flaw, all that is needed to exploit the vulnerability is a malicious link. Once a user clicks the link, the computer will be auto-joined to a video conference call. Leitschuh says it works even if Zoom has been previously uninstalled.
https://twitter.com/mathowie/status/1148391109824921600
Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh’s account, Zoom doesn’t appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it’s not an issue with their browsers, there’s not much those developers can do.
Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Leitschuh writes.
You can “patch” the camera issue yourself by ensuring the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting, illustrated below. Again, simply uninstalling Zoom won’t fix this problem, as that web server persists on your Mac. Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post.
The fix, Zoom’s blog post on the vulnerability, will now “remove the local web server entirely, once the Zoom client has been updated,” to take away the ability for a malicious third party to automatically activate webcams using a Zoom link. The vulnerability arises from the fact that Zoom installs a local web server onto Mac computers that install its application, which allows the platform to bypass security measures in Safari 12 that prompt users with a dialogue box to confirm when joining a new meeting.
[Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U
— Zoom (@Zoom) July 9, 2019
Here’s the update text, and Zoom’s directions for how to install it and/or remove the web server entirely:
The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following:
1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device.
2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
