If you have an office job, chances are you get invited to a lot of meetings. In 2019, that means jostling to book a meeting room days in advance, or trying to figure out where the hell you put that link to the video conference.
The popular video conference app maker Zoom had a clever solution for that scenario, which made video conferencing a bit faster: it installed a server on your Mac that remained there even if you uninstalled the Zoom app, turning on your camera as soon as you joined a meeting. In practice, there were two Zoom apps, the video conferencing one, and the app that install the server.
That, according to a security researcher, is a bug. And judging by how many people appeared surprised to find out about this solution on social media, the researcher isn’t alone thinking this is not cool. Jonathan Leitschuh, a security engineer at open source coding platform Gradle, revealed the vulnerability on Monday, publishing not only details of how it works, but also two proof-of-concept exploits that people can use to test the bug on their machines.
You can do the test yourself by clicking on this link created by Leitschuh: https://jlleitschuh.org/zoom_vulnerability_poc/
"All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running," Leitschuh says.
Others have created similar sites for testing purposes, such as zoomzeroday.com.
If you don’t have the Zoom app installed, when you visit those links your Mac downloads the Zoom app .pkg file. That means you’re not vulnerable to these exploits. (Good pre-emptive OPSEC on your part.)
However, if you click on those links and the Zoom app launches and you auto-join a meeting and your camera turns on automatically, then hackers could—in theory—spy on you that way.
You can blame your boss for making you install Zoom but that may not be the best approach. And if you simply drag the Zoom app from your Applications folder to the Trash, and then click on Empty Trash, that likely won’t do it either. At least that didn’t work on my Mac computer.
Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Luckily, there are a few simple ways for you to mitigate this bug without waiting for Zoom to do it for you.
The easiest is to open your Zoom app and disable this feature. Open the Zoom app, open the Settings (by either clicking on the icon in the app or by clicking Preferences in the dropdown menu on the top left corner of your screen), click on Video, then under “Meetings” click on “Turn off my video when joining a meeting.”
That should do the trick, but if you prefer to use the Terminal, and you’re comfortable using commands, just follow the instructions Leitschuh wrote in his blog post. (Note, you may have to do this for every user on the machine unless you have administrative privileges on the computer you’re using.)
For me, it worked following Leitschuch’s step by step.
First, open Terminal, paste this command and press enter:
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
To disable it for all users, do the same but with this command:
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
Then run this command:
lsof -i :19421
Look at the processes that are open. For example, on my machine it was the following, with a process clearly related to Zoom.
kill -9 [process number]
And replace the brackets with the process number, for example: 3025. That means your next command is:
kill -9 3025
Verify this all worked by running this command again:
lsof -i :19421
If your Terminal doesn’t display the Zoom-related process, you’re good. Finally, to remove all the files for the Zoom web server application, run this:
rm -rf ~/.zoomus
And voila. Now you can remove the main app too if you want.
To make sure the Zoom webserver app doesn't get installed again after you reboot. Run this command:
pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
If you want to be alerted when an app like Zoom turns on your camera and you want to be extra paranoid, we recommend trying out Patrick Wardle’s Oversight, a free app that warns you when the camera on your Mac is turned on.
Subscribe to our new cybersecurity podcast, CYBER.