Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

[MacRumors]

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.

The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Article Link: Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

 

[dannyyankou]

Well that’s unfortunate, it’s an important app I use. And their excuse doesn’t make sense, Skype runs on the Mac and you don’t see stories like this.

 

[Unggoy Murderer]

"legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.

 

[Mansu944]

“Oops, our bad.” I guess that’s an ok response.

 

[windywalks]

OK, so Zoom is going on my "never use again" pile.
Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.

 

[mw360]

Is it just me, or do the writers here need to think about the phrase ‘zero day’ before deploying it in every article about vulnerabilities? We’re on day 91 at least, and there is yet to be an attack.

Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.

 

[diddl14]

Best learning would probably be when Apple adds Zoom to XProtect..

https://www.howtogeek.com/217043/xprotect-explained-how-your-macs-built-in-anti-malware-works/

 

[orbital~debris]

enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!

 

[rmt55]

I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?

 

[Return Zero]

When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.

 

[horsebattery]

I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?

1. Quit Zoom if it's currently running
2. Run lsof -i :19421 in Terminal. If you see output, that means the local server is running. Grab the PID
3. If Step 2 returns output, run kill <PID from step 1> (exclude the angle brackets, so your final command should be something like kill 12345)
4. Uninstall the Zoom app

Edit: Oops messed up the step number... and missed a colon in the lsof command

 

[rmt55]

1. Quit Zoom if it's currently running
2. Run lsof -i :19421 in Terminal. If you see output, that means the local server is running. Grab the PID
3. If Step 2 returns output, run kill <PID from step 1> (exclude the angle brackets, so your final command should be something like kill 12345)
4. Uninstall the Zoom app

Edit: Oops messed up the step number... and missed a colon in the lsof command

Many thanks!

 

[mariusignorello]

You know, if they gave a decent reason it would at least be consoling to the user. Instead, it’s corporate babble attempting to excuse a security risk. And it also shows they don’t take security seriously.

 

[jerwin]

Ugh. An organization I belong to uses zoom for monthly tutorials.

 

[Sharewaredemon]

Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.

In my experience a lot of names or phrases in technology don't make any sense. I see it as a huge reason why people still to this day don't know how to use their tools.
Apple does a better job than most (or maybe all) but I still am constantly baffled at how confusing things are (not so much for me, but from the point of view of others).
Just because I understand what zero day means, doesn't mean I can't agree with you that its name doesn't help someone understand what it means.

 

[johannnn]

I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.

Unfortunately I don’t see how it will matter. We use it constantly in our +1000 employees company and I don’t see any other viable replacement.

Last couple of years I’ve shifted more and more towards apps in the Mac App Store. I simply don’t trust anymore apps that require admin password during installation, or random new apps from ProductHunt. Less apps means less attack vectors.

 

[jerwin]

Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.

doesn't really help that it's pronounced oh-day.

But from the perspective of programming teams, it makes sense. It takes time to design, build, and test a security fix. Ideally, a programming team can fix the bugs before malicious actors start to exploit them, and the pool of exploitable users is limited to people who don't, or can't update their software. A zero day exploit means that the programming team is fixing the bug as it is being exploited. They have zero leadtime.

http://bjorn.kuiper.nu/2013/10/09/origin_of_zero_day/

 

[konqerror]

I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.

I was expecting something like this. It's a straight copy of WebEx and GoToMeeting. (They seem to be maneuvering to be a copy of Skype for Business Online in the future.) Their sole innovation seems to be that they're a few bucks cheaper. Unfortunately, a few bucks is what many corporate IT departments base their decision on, not a reputation for quality and security.

 

[jfischer]

Uninstalled. Not sure which company made me use this for a one-off meeting but will not install it again.

 

[thisisnotmyname]

I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.

Unfortunately I don’t see how it will matter. We use it constantly in our +1000 employees company and I don’t see any other viable replacement.

Last couple of years I’ve shifted more and more towards apps in the Mac App Store. I simply don’t trust anymore apps that require admin password during installation, or random new apps from ProductHunt. Less apps means less attack vectors.

There are other players in that space. GotoMeeting and WebEx being the biggest. Depending on your participants you could also use Slack, Skype for Business, Microsoft Teams, etc... Getting your IT to adopt something else could be challenging but forwarding the linked article is a good first step.

 

[MallardDuck]

Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.

 

[SaxPlayer]

I hadn't even heard of Zoom until a couple of months ago when one of my customers wanted to use it for meetings. Having read the article on Medium I have no faith in their software. Just because it's possible to do something, doesn't mean that you should do it! And then they release a statement justifying their methodology when they've clearly been caught out big time.

I'm going to suggest to my customer that we use something else for future video calls, or I'll have to install Zoom under Parallels Desktop.

 

[Doug0915]

I've been reading all the reports of this.

It's concerning, but the verbage and description in the titles of the reports don't seem to match the severity of this (lots of hand waving). More concerning is that things are being said which simply aren't true. For instance one report said the web server can be commanded from the outside which is simply false (it's loopback only).

It's a concerning design issue, but this feels like an effort to depress the stock now that they are public in order to buy it again.

 

[MisterSavage]

Wow. What a scummy implementation.

On a related note, has anyone found a decent webcam cover for the iMac that isn't a sticker for when you don't want to use the webcam?

 

[AllergyDoc]

Removed it as per the article’s instructions.

One thing’s not clear: Zoom can also be run from a Safari tab. Is the risk the same, or only for the app?