Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,411
8,787



A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.


The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Article Link: Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]
 

dannyyankou

macrumors G3
Mar 2, 2012
8,665
12,761
Scarsdale, NY
Well that’s unfortunate, it’s an important app I use. And their excuse doesn’t make sense, Skype runs on the Mac and you don’t see stories like this.
 

mw360

macrumors 68000
Aug 15, 2010
1,538
1,291
Is it just me, or do the writers here need to think about the phrase ‘zero day’ before deploying it in every article about vulnerabilities? We’re on day 91 at least, and there is yet to be an attack.

Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.
 
Last edited:

horsebattery

macrumors 6502
Sep 24, 2013
304
306
I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
  1. Quit Zoom if it's currently running
  2. Run lsof -i :19421 in Terminal. If you see output, that means the local server is running. Grab the PID
  3. If Step 2 returns output, run kill <PID from step 1> (exclude the angle brackets, so your final command should be something like kill 12345)
  4. Uninstall the Zoom app
Edit: Oops messed up the step number... and missed a colon in the lsof command :)
 
Last edited:

rmt55

macrumors newbie
Oct 3, 2015
8
4
  1. Quit Zoom if it's currently running
  2. Run lsof -i :19421 in Terminal. If you see output, that means the local server is running. Grab the PID
  3. If Step 2 returns output, run kill <PID from step 1> (exclude the angle brackets, so your final command should be something like kill 12345)
  4. Uninstall the Zoom app
Edit: Oops messed up the step number... and missed a colon in the lsof command :)
Many thanks!
 

mariusignorello

macrumors 68000
Jun 9, 2013
1,599
1,998
You know, if they gave a decent reason it would at least be consoling to the user. Instead, it’s corporate babble attempting to excuse a security risk. And it also shows they don’t take security seriously.
 

Sharewaredemon

macrumors 68000
May 31, 2004
1,927
83
Cape Breton Island
Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.
In my experience a lot of names or phrases in technology don't make any sense. I see it as a huge reason why people still to this day don't know how to use their tools.
Apple does a better job than most (or maybe all) but I still am constantly baffled at how confusing things are (not so much for me, but from the point of view of others).
Just because I understand what zero day means, doesn't mean I can't agree with you that its name doesn't help someone understand what it means.
 

johannnn

macrumors 65816
Nov 20, 2009
1,427
816
Sweden
I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.

Unfortunately I don’t see how it will matter. We use it constantly in our +1000 employees company and I don’t see any other viable replacement.

Last couple of years I’ve shifted more and more towards apps in the Mac App Store. I simply don’t trust anymore apps that require admin password during installation, or random new apps from ProductHunt. Less apps means less attack vectors.
 

jerwin

macrumors 68020
Jun 13, 2015
2,478
4,457
Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.
doesn't really help that it's pronounced oh-day. :)

But from the perspective of programming teams, it makes sense. It takes time to design, build, and test a security fix. Ideally, a programming team can fix the bugs before malicious actors start to exploit them, and the pool of exploitable users is limited to people who don't, or can't update their software. A zero day exploit means that the programming team is fixing the bug as it is being exploited. They have zero leadtime.

http://bjorn.kuiper.nu/2013/10/09/origin_of_zero_day/
 

konqerror

macrumors 65816
Dec 31, 2013
1,082
1,913
I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.
I was expecting something like this. It's a straight copy of WebEx and GoToMeeting. (They seem to be maneuvering to be a copy of Skype for Business Online in the future.) Their sole innovation seems to be that they're a few bucks cheaper. Unfortunately, a few bucks is what many corporate IT departments base their decision on, not a reputation for quality and security.
 

jfischer

macrumors regular
Aug 18, 2014
151
53
Uninstalled. Not sure which company made me use this for a one-off meeting but will not install it again.
 

thisisnotmyname

macrumors 68020
Oct 22, 2014
2,204
4,613
known but velocity indeterminate
I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.

Unfortunately I don’t see how it will matter. We use it constantly in our +1000 employees company and I don’t see any other viable replacement.

Last couple of years I’ve shifted more and more towards apps in the Mac App Store. I simply don’t trust anymore apps that require admin password during installation, or random new apps from ProductHunt. Less apps means less attack vectors.
There are other players in that space. GotoMeeting and WebEx being the biggest. Depending on your participants you could also use Slack, Skype for Business, Microsoft Teams, etc... Getting your IT to adopt something else could be challenging but forwarding the linked article is a good first step.
 
  • Like
Reactions: motulist

MallardDuck

macrumors 6502
Jul 21, 2014
382
687
Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.
 

AJClayton

macrumors 6502a
Jan 9, 2007
559
315
Dorset, England
I hadn't even heard of Zoom until a couple of months ago when one of my customers wanted to use it for meetings. Having read the article on Medium I have no faith in their software. Just because it's possible to do something, doesn't mean that you should do it! And then they release a statement justifying their methodology when they've clearly been caught out big time.

I'm going to suggest to my customer that we use something else for future video calls, or I'll have to install Zoom under Parallels Desktop.
 
  • Like
Reactions: motulist

Doug0915

macrumors newbie
Jul 20, 2011
29
12
I've been reading all the reports of this.

It's concerning, but the verbage and description in the titles of the reports don't seem to match the severity of this (lots of hand waving). More concerning is that things are being said which simply aren't true. For instance one report said the web server can be commanded from the outside which is simply false (it's loopback only).

It's a concerning design issue, but this feels like an effort to depress the stock now that they are public in order to buy it again.
 

MisterSavage

macrumors 68000
Nov 10, 2018
1,707
1,393
Wow. What a scummy implementation.

On a related note, has anyone found a decent webcam cover for the iMac that isn't a sticker for when you don't want to use the webcam?
 
  • Like
Reactions: jerwin

AllergyDoc

macrumors 68000
Mar 17, 2013
1,558
3,431
Utah, USA
Removed it as per the article’s instructions.

One thing’s not clear: Zoom can also be run from a Safari tab. Is the risk the same, or only for the app?