Photo Credit: Zoom
A zero-day vulnerability present in the popular video conferencing app Zoom for Mac computers has come to light. Disclosed by security researcher Jonathan Leitschuh in a Medium post earlier today, the vulnerability allows any malicious website to forcibly join a Mac user to a Zoom call with video camera activated. This is possible because of a Web server installed by Zoom on Mac computers. Even after you have uninstalled the application, the Web server remains functional and “can reinstall the Zoom client without requiring any user interaction.”
In the Medium post, Leitschuh writes that the security vulnerability potentially exposes hundreds of thousands of businesses that use Zoom for Mac on a daily basis to exploitation. The flaw is a result of Zoom feature that triggers the Zoom client when a Zoom meeting link is clicked. Unless the user has explicitly configured their Zoom client to disable video upon joining meetings, their video is immediately shared with anyone they are in a Zoom call with, including an attacker who has exploited the vulnerability to trigger a video call.
According to Leitschuh, the vulnerability could also allow any webpage to DoS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. This is, however, only possible if a person is running an older unpatched version of Zoom, which included another vulnerability.
Leitschuh had disclosed the Mac-related vulnerability to Zoom back in March this year along with a proposed “quick fix”, however he claims that the company took ten days to confirm the existence of the vulnerability and a total of 87 days to fix the issue with the “quick fix” solution.
The quick fix implemented by Zoom doesn't patch the vulnerability completely and there are still workarounds to exploit it.
The company has now stated that it plans to apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings. Thereby allowing them to switch off video by default for all Zoom meetings, however if a user keeps the video option on, they will still be vulnerable to malicious third parties as the company doesn't seem to have any plans to change the Web server or its behaviour.
“Zoom installs a local Web server on Mac devices running the Zoom client. This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting,” Zoom said in a statement on its website. “The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
Essentially, it is up to the Mac users to turn their cameras off by default to avoid giving other a peek into their lives.