On Monday a security researcher published details on several security and privacy issues with the massively popular video conferencing software Zoom after the company failed to properly fix or address them. One issue allows websites to turn on a Mac users' webcam without their explicit consent or perhaps knowledge. The vulnerabilities are still active as of the time of this article's publication.
"You can still use this exploit to launch someone into a call without their permission," Jonathan Leitschuh, a security engineer at open source system Gradle, wrote in a Medium post, along with two proof-of-concept links Mac Zoom users can try themselves.
Clicking this link on a Mac will launch you into a Zoom call: https://jlleitschuh.org/zoom_vulnerability_poc/
Clicking this link on a Mac will launch you into a Zoom call with your camera switched on: https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
Motherboard verified that the issue with a link turning on a user's webcam still exists at the time of writing.
The problem lies is how Zoom allows whoever sets up the call—be that someone creating a conference call for a company, or perhaps a hacker—to decide whether participants' webcams are enabled at the start of the call or not. Leitschuh says Zoom did fix this, and stopped an attacker from turning on a user's video camera, but then an issue with the patch was discovered, still allowing a hacker to turn on the camera. Leitschuh gave Zoom 90-days to fix the issues before he published details publicly; a common practice in information security.
After including a snippet of code in his write-up, Leitschuh says "all a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running." This could be used for malicious adverts, or perhaps a phishing campaign, Leitschuh writes.
Going through Zoom's options, Leitschuh found that enabling the setting "Participants: On", and he could feed that option into his custom, malicious URL.
Another issue is that even if a user has uninstalled the app, Zoom still leaves a web server up and running on the users' computer, allowing Zoom to still download software onto the machine. This isn't some oversight, but a deliberate decision by Zoom—this is designed for Zoom to be able to swiftly, and it seems surreptitiously, re-install the app if a user visits a Zoom conference link.
"What I found out was that this web server can also re-install the Zoom app if a user has uninstalled it," Leitschuh wrote.
Leitschuh said he searched for several hours in both official and unofficial documentation for any mention of this desktop web server. "This webserver’s API is completely undocumented as far as I can tell," he wrote.
"Having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me. Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher," he added.
In his Medium post, Leitschuh provided a set of mitigations you can follow to remove the web server from your Mac. They require pasting some short commands into the terminal of your machine.
Leitschuh communicated with Zoom throughout his disclosure process about the issues, he adds in the Medium post. In a blog post published to its website, Zoom said "In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms."
As for the web server, Zoom wrote, "We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution."
In response to a question from Motherboard specifically asking if Zoom planned to remove the web server from users’ machines, a spokesperson wrote in an email, “We did not have an easy way to help a user delete both the Zoom client app and also the Zoom local web server app that launches our client. This was an honest mistake. The user needs to manually locate and delete those two apps for now. By this weekend we will introduce a new app to help user easily delete both apps.”
After the publication of this article, Zoom updated its blog post to say the company is issuing a patch Tuesday, July 9th, that will remove the web server component of its software.
"We are stopping the use of a local web server on Mac devices," the blog post reads. It also adds that Zoom will now more readily allow users to manually uninstall the application, including the web server.
Update: This piece has been updated to include more comment from a Zoom spokesperson, and more information from Zoom's updated blog post.
Subscribe to our new cybersecurity podcast, CYBER.