Posted on July 10, 2019 at 1:04 PM
According to a recent disclosure by a security researcher, Jonathan Leitschuh, those who use Mac’s video conferencing app, Zoom, may be in danger of having their device hijacked. The danger comes from a security flaw which was only revealed to the public recently.
What is the problem?
According to Leitschuh’s explanation, the flaw exploit’s Zoom’s architectural vulnerability. The app is known by many for its simple and fast click-to-join option. All that someone needs to do is click on a browser link, and they will be sent directly to a video meeting within Zoom’s app. However, according to Leitschuh’s Medium post, that is done in a very poorly-secured way. Thanks to a flaw that he discovered, anyone could join a call without receiving permission. Worse yet, they might even activate users’ webcams without them approving of it, or even knowing.
Even that is not the end of it, as there is also the potential for a webpage to pull off a DOS attack by continuing to join the invalid call.
So, why is this a problem? Why not just uninstall Zoom, and be done with it? Because uninstalling Zoom will not fix the problem. According to Leitschuh, Zoom achieves its highly-useful click-to-join feature by installing a web server on your Mac. Uninstalling the app will not uninstall the web server. However, the web server will re-install the app, should you try to delete it. Not only that, but it will do it without your permission, or awareness.
Of course, Zoom made all of this possible in the first place, aiming to provide users with a better experience. The poor user experience that the app was capable of offering before caused hem to make changes, apply patches, and more, all for making seamless, one-click meetings possible, easy, and enjoyable.
Leitschuh does not seem to believe that, however. He claims that having an installed app running a web server on the users’ local machines with a completely undocumented API feels extremely sketchy. Further, the fact that websites can interact with the web server without the user even knowing about it is most certainly a red flag. Zoom’s decisions have placed millions in a vulnerable spot, open to attack.
Leitschuh vs. Zoom
As soon as Leitschuh discovered the flaw, he notified Zoom of it, which was back in March. He then had to wait for 90 days before disclosing his findings to the public. During this time, the company did pretty much nothing, and then they released a patch for the issue on the last day before the 90-day period during which Leitschuh had to remain quiet. The patch disabled the webpages’ ability to automatically turn on users’ cameras. However, the fix is only partially fixing the issue, and it also regressed only three days ago, once again allowing webcams to be enabled without permission.
Zoom commented by stating that they reacted immediately. They also commented on the issues, claiming that installing a local web server on Mac devices has to be done as a workaround to an architecture change that came as part of Safari 12. The change required users to accept launching Zoom before every meeting. By installing a local web server, all incoming calls are accepted automatically on behalf of the user, which avoids one extra click before joining the conversation. They also commented on a potential denial of service attack, stating that there is no record that anyone ever exploited this vulnerability.
Further, they claim that users could just change their camera settings, indicating that they should fix it themselves if they are worried that someone might use it to spy on them.
There were other claims that Leitschuh made against the company, and that Zoom denied. For example, Leitschuh stated that Zoom failed to confirm that the flaw even existed at first. They certainly failed to issue a fix in time. Meanwhile, the company denies this, claiming that their experts were paying all of their attention to the flaw within ten minutes.
In the end, nothing was done, and Zoom spokesperson admitted that there is nothing they can do to easily help their clients at this time. The users are the ones who have to manually locate and delete the web client and Zoom itself.