The IT Nerd

Security researcher Jonathan Leitschuh has discovered a serious vulnerability with the highly popular Zoom Video Conferencing service. In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed. Which of course is not good. There was another issue that he discovered that allowed any web page to do a denial of service attack on the Mac. But that was patched leaving the original vulnerability in play. Leitschuh disclosed the problem to Zoom in late March and gave the company 90 days to fix the issue. But it wasn’t fixed and thus he’s going public.

But there’s more to this story. When you install Zoom on a Mac, it installs a localhost web server as a background process. The purpose of this web server is to accept requests regular browsers wouldn’t. Such as whatever Zoom needs to do to facilitate video conferencing. What gets my attention is that this service can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page. Which is very sketchy in my mind. That means that uninstalling Zoom won’t solve this issue. And it also sounds kind of malware like. 

Now you can mitigate this attack vector by disabling the setting that allows Zoom to turn on your Mac’s camera when joining a meeting. But the real fix is to uninstall everything related to Zoom and not use it at all. The  bottom of the Medium post includes a series of Macintosh Terminal commands that will uninstall the web server completely. I would strongly suggest that you go that route as that’s the best way to protect yourself.

Now what does Zoom have to say about this? Well in this ZDNet article, they had this to say:

Video conferencing company Zoom has defended its use of a local web server on Macs as a “workaround” to changes that were introduced in Safari 12.

The company said in a statement that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

That to be blunt is total crap. They should be completely aware that now that this is public, there will be attacks inbound using this vulnerability. On top of that, the bad press from this is guaranteed to drive customers away from using their service. I’ve already had a few inquiries from clients of mine and my advice is simple. Don’t use Zoom for videoconferencing purposes until they can demonstrate that it is secure and they don’t need to do the sorts of things that they were caught doing so that their users can have a “seamless” experience.

UPDATE: In a blog post, Zoom says that there is no indication this vulnerability was ever taken advantage of because if a person did click on a malicious link, it would be readily apparent that a video call started (and thus their webcam was hijacked) because the Zoom client user interface runs in the foreground upon launch. Which may be true but isn’t the point anymore. The point is that they reacted poorly to this issue. Having said that, the company did say a fix was inbound. I’d love to know if that fix addresses all the issues that I raised in this article. Because if it doesn’t, I’ll continue to recommend that you avoid Zoom because of the potential risk that it poses.

This entry was posted on July 9, 2019 at 8:38 am and is filed under Commentary with tags Security, Zoom. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.