Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

Discussion in 'Mac Blog Discussion' started by MacRumors, Jul 9, 2019.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

    In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.


    The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

    In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

    Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

    While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

    Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

    Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

    Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

    Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

    Article Link: Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]
  2. dannyyankou macrumors G3


    Mar 2, 2012
    Scarsdale, NY
    Well that’s unfortunate, it’s an important app I use. And their excuse doesn’t make sense, Skype runs on the Mac and you don’t see stories like this.
  3. Unggoy Murderer macrumors 6502

    Jan 28, 2011
    Edinburgh, Scotland
    So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
  4. Mansu944 macrumors 6502

    Mar 11, 2012
    “Oops, our bad.” I guess that’s an ok response.
  5. windywalks macrumors 6502

    Mar 12, 2004
    OK, so Zoom is going on my "never use again" pile.
    Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
  6. mw360, Jul 9, 2019
    Last edited: Jul 9, 2019

    mw360 macrumors 65832


    Aug 15, 2010
    Is it just me, or do the writers here need to think about the phrase ‘zero day’ before deploying it in every article about vulnerabilities? We’re on day 91 at least, and there is yet to be an attack.

    Update: okay it is just me. I wasn’t aware ‘zero day vulnerability’ could mean an unknown or unpatched vulnerability. Still, it seems like a redundant phrase in most contexts, including this one.
  7. orbital~debris, Jul 9, 2019
    Last edited: Jul 10, 2019

    orbital~debris macrumors 6502a


    Mar 3, 2004
    England, UK, Europe
    More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
  8. rmt55 macrumors newbie

    Oct 3, 2015
    I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
  9. Return Zero macrumors 6502a

    Return Zero

    Oct 2, 2013
    When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
  10. horsebattery, Jul 9, 2019
    Last edited: Jul 9, 2019

    horsebattery macrumors 6502

    Sep 24, 2013
    1. Quit Zoom if it's currently running
    2. Run lsof -i :19421 in Terminal. If you see output, that means the local server is running. Grab the PID
    3. If Step 2 returns output, run kill <PID from step 1> (exclude the angle brackets, so your final command should be something like kill 12345)
    4. Uninstall the Zoom app
    Edit: Oops messed up the step number... and missed a colon in the lsof command :)
  11. rmt55 macrumors newbie

    Oct 3, 2015
    Many thanks!
  12. mariusignorello macrumors 68000

    Jun 9, 2013
    You know, if they gave a decent reason it would at least be consoling to the user. Instead, it’s corporate babble attempting to excuse a security risk. And it also shows they don’t take security seriously.
  13. jerwin macrumors 68020

    Jun 13, 2015
    Ugh. An organization I belong to uses zoom for monthly tutorials.
  14. Sharewaredemon macrumors 68000


    May 31, 2004
    Cape Breton Island
    In my experience a lot of names or phrases in technology don't make any sense. I see it as a huge reason why people still to this day don't know how to use their tools.
    Apple does a better job than most (or maybe all) but I still am constantly baffled at how confusing things are (not so much for me, but from the point of view of others).
    Just because I understand what zero day means, doesn't mean I can't agree with you that its name doesn't help someone understand what it means.
  15. johannnn macrumors 65816


    Nov 20, 2009
    I’m no security guy (although I care a lot about it), but from reading the Medium article I get the sense that Zoom has very ****** engineers.

    Unfortunately I don’t see how it will matter. We use it constantly in our +1000 employees company and I don’t see any other viable replacement.

    Last couple of years I’ve shifted more and more towards apps in the Mac App Store. I simply don’t trust anymore apps that require admin password during installation, or random new apps from ProductHunt. Less apps means less attack vectors.
  16. jerwin macrumors 68020

    Jun 13, 2015
    doesn't really help that it's pronounced oh-day. :)

    But from the perspective of programming teams, it makes sense. It takes time to design, build, and test a security fix. Ideally, a programming team can fix the bugs before malicious actors start to exploit them, and the pool of exploitable users is limited to people who don't, or can't update their software. A zero day exploit means that the programming team is fixing the bug as it is being exploited. They have zero leadtime.
  17. konqerror macrumors 6502

    Dec 31, 2013
    I was expecting something like this. It's a straight copy of WebEx and GoToMeeting. (They seem to be maneuvering to be a copy of Skype for Business Online in the future.) Their sole innovation seems to be that they're a few bucks cheaper. Unfortunately, a few bucks is what many corporate IT departments base their decision on, not a reputation for quality and security.
  18. jfischer macrumors regular

    Aug 18, 2014
    Uninstalled. Not sure which company made me use this for a one-off meeting but will not install it again.
  19. thisisnotmyname macrumors 68000


    Oct 22, 2014
    known but velocity indeterminate
    There are other players in that space. GotoMeeting and WebEx being the biggest. Depending on your participants you could also use Slack, Skype for Business, Microsoft Teams, etc... Getting your IT to adopt something else could be challenging but forwarding the linked article is a good first step.
  20. MallardDuck macrumors 6502

    Jul 21, 2014
    Let see:

    Install hidden, insecure background server process
    Fail to remove it on uninstall
    Fail to disclose that you did so
    Fail to patch it when notified
    Defend your actions to work around security features to 'save users' one single click
    Destroy your brand and confidence in your solution shortly after going public

  21. AJClayton macrumors 6502


    Jan 9, 2007
    Dorset, England
    I hadn't even heard of Zoom until a couple of months ago when one of my customers wanted to use it for meetings. Having read the article on Medium I have no faith in their software. Just because it's possible to do something, doesn't mean that you should do it! And then they release a statement justifying their methodology when they've clearly been caught out big time.

    I'm going to suggest to my customer that we use something else for future video calls, or I'll have to install Zoom under Parallels Desktop.
  22. Doug0915 macrumors newbie

    Jul 20, 2011
    I've been reading all the reports of this.

    It's concerning, but the verbage and description in the titles of the reports don't seem to match the severity of this (lots of hand waving). More concerning is that things are being said which simply aren't true. For instance one report said the web server can be commanded from the outside which is simply false (it's loopback only).

    It's a concerning design issue, but this feels like an effort to depress the stock now that they are public in order to buy it again.
  23. MisterSavage macrumors 6502a


    Nov 10, 2018
    Wow. What a scummy implementation.

    On a related note, has anyone found a decent webcam cover for the iMac that isn't a sticker for when you don't want to use the webcam?
  24. AllergyDoc macrumors 65816


    Mar 17, 2013
    Utah, USA
    Removed it as per the article’s instructions.

    One thing’s not clear: Zoom can also be run from a Safari tab. Is the risk the same, or only for the app?

Share This Page

36 July 9, 2019