Security researcher Jonathan Leitschuh, in a Medium post, detailed the flaw that could let websites hijack your Mac’s camera and “forcibly” join you to a Zoom call without your permission. Zoom is one of the most popular cloud-based enterprise communication platforms that offers chat, video and audio conferencing, and options to host webinars and virtual meetings online. About four million of its users are on Mac. The vulnerability takes advantage of a pretty simple feature that gives Zoom users an easy way to dial into video conference calls with the tap of a link — something like https://zoom.us/j/999999999, where ‘999999999’ is a random nine-digit meeting ID that expires once the meeting ends.
— Matt Haughey (@mathowie) July 9, 2019 This ensures that as long as the Zoom app is running in the background, if you open the meeting link on your browser, it automatically launches the Zoom client on your Mac. Leitschuh found this functionality was not securely implemented. Not only can a user be auto-joined to a Zoom video conference call by merely clicking on the meeting link, this works even if you no longer have the Zoom app installed. It’s because when you install the Zoom app, it also installs a web server locally to accept meeting requests. The troubling part here is that post uninstalling the app, the server still persists and can re-install the app without requiring your intervention.
— PlaneOnSecurity (@SwiftOnSecurity) July 9, 2019 This effectively means, in order to exploit this vulnerability, all an attacker needs to do is create an invite link through his account on Zoom, embed it on a website as a malicious ad, and just lure the target into visiting that website. The camera, however, can be turned off if you have ticked the option “Turn off my video when joining a meeting.” Leitschuh originally disclosed the flaw on March 26, 2019, but he mentioned the first actual meeting about how the vulnerability would be patched occurred on June 11, 2019, only 18 days before the end of the 90-day public disclosure deadline. The timeline in the Medium post shows that Zoom fixed the vulnerability on June 21. But a regression earlier this month caused the bug to resurface again, prompting Zoom to fix the issue yesterday.
— Jonathan Leitschuh (@JLLeitschuh) July 7, 2019 “Zoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the user’s video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site,” Leitschuh wrote. The idea that any website you may visit from Mac has the capability to activate your video camera by default via an unauthorized Zoom call is alarming. Zoom has responded that it doesn’t see “video on by default as a security vulnerability,” and that it allows users to set their own video preferences. Zoom also said it developed the local web server as a workaround to changes that were added in Apple’s Safari browser that prompted Zoom users to confirm if they want to launch the app each time they clicked on a meeting link. “The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting,” the company said — meaning Zoom essentially sidestepped browser security mechanisms to solve what it calls “poor user experience.” As a solution, the company — which went public earlier this April — plans to roll out an update this month that will save users’ and administrators’ preferences to turn on/off video when they first join a call. But users who choose to keep the video option on will continue to be susceptible to malicious third parties as the company isn’t looking to fundamentally change the app’s behavior on Macs. Instead the onus will be on you to turn your camera off by default. It’s evident that Zoom has a tough problem on its hands as far as its Mac users are concerned — but it clearly isn’t doing a good job of keeping them safe from unsolicited calls, as bad actors could trick them into clicking links and enabling their video streams. The company would do well to think of a better way to address this than leaving it up to users to prevent this from happening. Update on July 10, 9:30 AM IST: In a surprise reversal, Zoom has decided to kill its controversial practice of using a local web server on Macs devices. It has also pushed an emergency patch to remove the server completely, but it acknowledged it didn’t currently have an easy way to uninstall both the client and the server. “We do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client,” Richard Farley, Zoom’s chief information officer, said. “The user needs to manually locate and delete those two apps for now. This was an honest oversight. As such, by this weekend we will introduce a new Uninstaller App for Mac to help the user easily delete both apps,” he added. On Tuesday, the company had defended its use of a local web server, stating it enables users to join the meeting without having to do an extra click to get into a meeting. It also said it was a “legitimate solution to a poor user experience” due to changes Apple introduced in Safari 12.