Jonathan Leitschuh, a US-based security researcher on Monday had publicly disclosed a major zero-day vulnerability in the Zoom video conferencing software. Leitschuh had demonstrated that any website can start a video-enabled call through the Zoom software on a Mac with the help of a web server which gets installed by the Zoom app.
According to a report by The Verge, the server accepts the requests which the regular would not. The report further says that even if you uninstall the Zoom software, the server will still remain and it can reinstall Zoom without the user’s choice. As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.
On a Medium post published on Monday, Leitschuh gave a demonstration through a form of a link which after being clicked takes Mac users (currently using/or have used Zoom app before) to a conference room activating their webcams. He notes that this particular code can get embedded to any website and also on malicious ads or a phishing campaign.
Leitschuh further writes that even if Mac users uninstall the Zoom app, the local web server still remains and it will “happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”
The Verge in its report said that they tried the flaw themselves by using Leitschuh’s demo and were able to confirm that the issue does persist on clicking the link if Mac users have used the Zoom app and have not checked a particular checkbox in settings. The link auto joins the users to a conference call with the web camera on.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days. According to him, Zoom does not seem to have done enough to resolve the problem. The particular vulnerability was also disclosed to both Chromium and Mozilla teams, however, because it is not an issue with their browsers, there is not much those developers can do about this.
To fix this particular issue, Leitschuh has advised the Mac users having the Zoom app installed to update it to the latest version and then check the box in settings to ‘Turn off my video when joining a meeting,’. He has also provided a series of commands in the Medium post which can disable the local web server and prevent it from reinstalling.
Following the public disclosure, Zoom, in a statement to The Verge and ZDNet, has said that it has developed the local web server in a bid to save the Mac users some clicks, after Apple changed their Safari browser in a way that requires Zoom users to confirm that they want to launch Zoom every single time. The Verge report says that Zoom defended the workaround as a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
According to the report, Zoom said that it will tweak the app in a minor way: starting in July, the app will save the user’s and administrator’s preferences for whether the video will be turned on, or not, when they first join a call.