Zoom Has A Serious Vulnerability That Can Trigger Video Calls With Almost Zero User Interaction

Security researcher Jonathan Leitschuh has discovered a serious vulnerability with the highly popular Zoom Video Conferencing service. In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed. Which of course is not good. There was another issue that he discovered that allowed any web page to do a denial of service attack on the Mac. But that was patched leaving the original vulnerability in play. Leitschuh disclosed the problem to Zoom in late March and gave the company 90 days to fix the issue. But it wasn’t fixed and thus he’s going public.

But there’s more to this story. When you install Zoom on a Mac, it installs a localhost web server as a background process. The purpose of this web server is to accept requests regular browsers wouldn’t. Such as whatever Zoom needs to do to facilitate video conferencing. What gets my attention is that this service can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page. Which is very sketchy in my mind. That means that uninstalling Zoom won’t solve this issue. And it also sounds kind of malware like. 

Now you can mitigate this attack vector by disabling the setting that allows Zoom to turn on your Mac’s camera when joining a meeting. But the real fix is to uninstall everything related to Zoom and not use it at all. The  bottom of the Medium post includes a series of Macintosh Terminal commands that will uninstall the web server completely. I would strongly suggest that you go that route as that’s the best way to protect yourself.

Now what does Zoom have to say about this? Well in this ZDNet article, they had this to say:

Video conferencing company Zoom has defended its use of a local web server on Macs as a “workaround” to changes that were introduced in Safari 12.

The company said in a statement that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

That to be blunt is total crap. They should be completely aware that now that this is public, there will be attacks inbound using this vulnerability. On top of that, the bad press from this is guaranteed to drive customers away from using their service. I’ve already had a few inquiries from clients of mine and my advice is simple. Don’t use Zoom for videoconferencing purposes until they can demonstrate that it is secure and they don’t need to do the sorts of things that they were caught doing so that their users can have a “seamless” experience.

UPDATE: In a blog post, Zoom says that there is no indication this vulnerability was ever taken advantage of because if a person did click on a malicious link, it would be readily apparent that a video call started (and thus their webcam was hijacked) because the Zoom client user interface runs in the foreground upon launch. Which may be true but isn’t the point anymore. The point is that they reacted poorly to this issue. Having said that, the company did say a fix was inbound. I’d love to know if that fix addresses all the issues that I raised in this article. Because if it doesn’t, I’ll continue to recommend that you avoid Zoom because of the potential risk that it poses.

5 Responses to “Zoom Has A Serious Vulnerability That Can Trigger Video Calls With Almost Zero User Interaction”

  1. […] I wrote about a pretty bad vulnerability with the Zoom videoconferencing product where a malicious web page could …. On top of that it was also discovered that when you install Zoom on a Mac, it installs a web […]

  2. […] guess that Apple felt that the security risks posed by the Zoom video conferencing software and the response by Zoom to fix the issue was too great to ignore as TechCrunch is reporting that […]

  3. […] who have had a couple of issues this week that made the news, which did get fixed by Zoom and Apple, now may be having their competitors throw some shade on […]

  4. […] According to The Verge, Apple has  pushed a second silent security update to Macs via their XProtect functionality to address further vulnerabilities related to the Zoom video conferencing app for macOS which I reported on last week. […]

  5. […] company that has more marketing sense than security sense. This is the same company that got caught with a serious flaw that enabled video calls with zero interaction on the Mac, which they sort of fixed. But it […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: