Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

Discussion in 'Mac Blog Discussion' started by MacRumors, Jul 9, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

    In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.

    [​IMG]

    The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

    In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

    Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

    While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

    Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

    Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

    Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

    Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

    Article Link: Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]
     
  2. dannyyankou macrumors G3

    dannyyankou

    Joined:
    Mar 2, 2012
    Location:
    Scarsdale, NY
    #2
    Well that’s unfortunate, it’s an important app I use. And their excuse doesn’t make sense, Skype runs on the Mac and you don’t see stories like this.
     
  3. Unggoy Murderer macrumors 6502

    Joined:
    Jan 28, 2011
    Location:
    Edinburgh, Scotland
    #3
    So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
     
  4. Mansu944 macrumors 6502

    Joined:
    Mar 11, 2012
    #4
    “Oops, our bad.” I guess that’s an ok response.
     
  5. windywalks macrumors 6502

    Joined:
    Mar 12, 2004
    #5
    OK, so Zoom is going on my "never use again" pile.
    Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
     
  6. mw360, Jul 9, 2019
    Last edited: Jul 9, 2019

    mw360 macrumors 65832

    mw360

    Joined:
    Aug 15, 2010
    #6
    Is it just me, or do the writers here need to think about the phrase ‘zero day’ before deploying it in every article about vulnerabilities? We’re on day 91 at least, and there is yet to be an attack.

    Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.
     
  7. orbital~debris, Jul 9, 2019
    Last edited: Jul 10, 2019

    orbital~debris macrumors 6502a

    orbital~debris

    Joined:
    Mar 3, 2004
    Location:
    England, UK, Europe
    #8
    More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
     
  8. rmt55 macrumors newbie

    Joined:
    Oct 3, 2015
    #9
    I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
     
  9. Return Zero macrumors 6502a

    Return Zero

    Joined:
    Oct 2, 2013
    Location:
    Kentucky
    #10
    When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
     
  10. horsebattery, Jul 9, 2019
    Last edited: Jul 9, 2019

    horsebattery macrumors 6502

    Joined:
    Sep 24, 2013
    #11
    1. Quit Zoom if it's currently running
    2. Run lsof -i :19421 in Terminal. If you see output, that means the local server is running. Grab the PID
    3. If Step 2 returns output, run kill <PID from step 1> (exclude the angle brackets, so your final command should be something like kill 12345)
    4. Uninstall the Zoom app
    Edit: Oops messed up the step number... and missed a colon in the lsof command :)
     
  11. rmt55 macrumors newbie

    Joined:
    Oct 3, 2015
    #12
    Many thanks!
     
  12. mariusignorello macrumors 68000

    Joined:
    Jun 9, 2013
    #13
    You know, if they gave a decent reason it would at least be consoling to the user. Instead, it’s corporate babble attempting to excuse a security risk. And it also shows they don’t take security seriously.
     
  13. jerwin macrumors 68020

    Joined:
    Jun 13, 2015
    #14
    Ugh. An organization I belong to uses zoom for monthly tutorials.
     
  14. Sharewaredemon macrumors 68000

    Sharewaredemon

    Joined:
    May 31, 2004
    Location:
    Cape Breton Island
    #15
    In my experience a lot of names or phrases in technology don't make any sense. I see it as a huge reason why people still to this day don't know how to use their tools.
    Apple does a better job than most (or maybe all) but I still am constantly baffled at how confusing things are (not so much for me, but from the point of view of others).
    Just because I understand what zero day means, doesn't mean I can't agree with you that its name doesn't help someone understand what it means.
     
  15. johannnn macrumors 65816

    johannnn

    Joined:
    Nov 20, 2009
    Location:
    Sweden
    #16
    I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.

    Unfortunately I don’t see how it will matter. We use it constantly in our +1000 employees company and I don’t see any other viable replacement.

    Last couple of years I’ve shifted more and more towards apps in the Mac App Store. I simply don’t trust anymore apps that require admin password during installation, or random new apps from ProductHunt. Less apps means less attack vectors.
     
  16. jerwin macrumors 68020

    Joined:
    Jun 13, 2015
    #17
    doesn't really help that it's pronounced oh-day. :)

    But from the perspective of programming teams, it makes sense. It takes time to design, build, and test a security fix. Ideally, a programming team can fix the bugs before malicious actors start to exploit them, and the pool of exploitable users is limited to people who don't, or can't update their software. A zero day exploit means that the programming team is fixing the bug as it is being exploited. They have zero leadtime.

    http://bjorn.kuiper.nu/2013/10/09/origin_of_zero_day/
     
  17. konqerror macrumors 6502

    Joined:
    Dec 31, 2013
    #18
    I was expecting something like this. It's a straight copy of WebEx and GoToMeeting. (They seem to be maneuvering to be a copy of Skype for Business Online in the future.) Their sole innovation seems to be that they're a few bucks cheaper. Unfortunately, a few bucks is what many corporate IT departments base their decision on, not a reputation for quality and security.
     
  18. jfischer macrumors regular

    Joined:
    Aug 18, 2014
    #19
    Uninstalled. Not sure which company made me use this for a one-off meeting but will not install it again.
     
  19. thisisnotmyname macrumors 68000

    thisisnotmyname

    Joined:
    Oct 22, 2014
    Location:
    known but velocity indeterminate
    #20
    There are other players in that space. GotoMeeting and WebEx being the biggest. Depending on your participants you could also use Slack, Skype for Business, Microsoft Teams, etc... Getting your IT to adopt something else could be challenging but forwarding the linked article is a good first step.
     
  20. MallardDuck macrumors 6502

    Joined:
    Jul 21, 2014
    #21
    Let see:

    Install hidden, insecure background server process
    Fail to remove it on uninstall
    Fail to disclose that you did so
    Fail to patch it when notified
    Defend your actions to work around security features to 'save users' one single click
    Destroy your brand and confidence in your solution shortly after going public

    Priceless.
     
  21. AJClayton macrumors 6502

    AJClayton

    Joined:
    Jan 9, 2007
    Location:
    Dorset, England
    #22
    I hadn't even heard of Zoom until a couple of months ago when one of my customers wanted to use it for meetings. Having read the article on Medium I have no faith in their software. Just because it's possible to do something, doesn't mean that you should do it! And then they release a statement justifying their methodology when they've clearly been caught out big time.

    I'm going to suggest to my customer that we use something else for future video calls, or I'll have to install Zoom under Parallels Desktop.
     
  22. Doug0915 macrumors newbie

    Joined:
    Jul 20, 2011
    #23
    I've been reading all the reports of this.

    It's concerning, but the verbage and description in the titles of the reports don't seem to match the severity of this (lots of hand waving). More concerning is that things are being said which simply aren't true. For instance one report said the web server can be commanded from the outside which is simply false (it's loopback only).

    It's a concerning design issue, but this feels like an effort to depress the stock now that they are public in order to buy it again.
     
  23. MisterSavage macrumors 6502a

    MisterSavage

    Joined:
    Nov 10, 2018
    #24
    Wow. What a scummy implementation.

    On a related note, has anyone found a decent webcam cover for the iMac that isn't a sticker for when you don't want to use the webcam?
     
  24. AllergyDoc macrumors 65816

    AllergyDoc

    Joined:
    Mar 17, 2013
    Location:
    Utah, USA
    #25
    Removed it as per the article’s instructions.

    One thing’s not clear: Zoom can also be run from a Safari tab. Is the risk the same, or only for the app?
     

Share This Page

36 July 9, 2019