Vulnerability in Zoom could allow websites to hijack Mac webcams

9 Jul 2019

A video conference. Image: © .shock/Stock.adobe.com

Following the discovery of a vulnerability, Zoom promised to provide clear information for reporting security concerns on its website in the coming weeks.

On Monday (8 July), software engineer and cybersecurity researcher Jonathan Leitschuh published a blogpost in which he highlighted a major zero-day vulnerability in remote video conferencing service Zoom, primarily affecting Mac users.

Leitschuh wrote: “This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.”

Leitschuh then added: “Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”

Zoom defended the local web server, telling ZDNet that it had deliberately designed the app to work this way as a “workaround” for changes in Safari 12 to create what it called “a legitimate solution to poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

From a security research point of view, this caused great concern for Leitschuh, who wrote: “Having an installed app running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me […] The fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me.”

Leitschuh then pointed out that this vulnerability was disclosed to Zoom on 26 March 2019 with a proposed description of a ‘quick fix’ Zoom could have implemented “by simply changing their server logic”.

After 10 days, Zoom confirmed the vulnerability but did not call a meeting to discuss patching the flaw until 11 June 2019, 18 days before the end of the 90-day public disclosure deadline, according to Leitschuh. Zoom’s suggested fix was ineffective, and Leitschuh warned the company that he could “easily spot and describe bypasses” to the company’s solution.

Leitschuh posted a timeline of his correspondence with Zoom, which opens with him requesting to speak to Zoom’s security team on Twitter on 8 March (and ultimately being ignored until he got in touch with the company on 26 March with a 90-day public disclosure deadline) and ended with today’s public disclosure.

Leitschuh concluded: “Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organisation of this profile and with such a large user base should have been more proactive in protecting their users from attack.”

Towards the end of Leitschuh’s post on Medium, he offered Zoom users a quick way of patching this vulnerability for themselves and advised them to keep an eye out for updates.

Zoom, which is based in San Jose, has had security flaws discovered in the past. In November 2018, a vulnerability was discovered, which had allowed attackers to remove attendees from meetings, spoof messages from users and hijack shared screens.

In response to Leitschuh’s blog post, Zoom noted that its website does not “provide clear information for reporting security concerns” and vowed to spend the next few weeks developing a public bug bounty programme, supplementing its existing private programme.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com