A security researcher exposed a vulnerability that allows any malicious webpage to open-up a video call to a Mac device with the Zoom app installed, without asking for any permission.
According to Jonathan Leitschuh, the researcher, the flaw potentially exposes up to 750,000 companies worldwide that are using Zoom on a daily basis to conduct their business.
A drastic solution would be just to uninstall Zoom from the computer, meaning the user is no longer at risk of being secretly watched by someone. However, as Leitschuh explains, Zoom’s initial installation also retrofits a web server on the computer. Even once Zoom has been uninstalled, the web server code keeps running in a hidden directory – waiting for the user to visit a Zoom meeting link to then reinstall the app without asking for the user’s permission.
The archetypal Mac user is well accustomed to thinking that an app is uninstalled by click-dragging it into the trashbin, without leaving behind any traces of code that can take autonomous decisions, such as reinstalling an app, without explicit approval.
But this is exactly what Zoom does.
Allegedly, Zoom is installing its web server to manage updates and aid in the launching of calls, but Leitschuh underlined his nervousness about this approach:
“In my opinion, websites should not be talking to Desktop applications like this. There is a fundamental sandbox that browsers are supposed to enforce to prevent malicious code from being executed on users machines,” he said.
“Having every Zoom user have a web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom.”
Zoom thinks the installation of its server code can be justified because “it’s a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings.”
Leitschuh explained how he revealed the vulnerability to Zoom this March, detailing how Mac users could be victims of DDoS attacks that saturate the server with pings. The researched told Zoom to fix the issue within 90 days or he would go public.
https://twitter.com/backlon/status/1148464344876716033
After a lot of correspondence, the DDoS vulnerability issue was fixed with the 4.4.2 update of the Zoom app. But Zoom’s response to other concerns was not thorough as the patch only disabled “a meeting creator’s ability to enable participant video by default.”
As Leitschuh points out, the fix for this vulnerability “regressed” at the beginning of June, allowing for the camera to be activated and exploited.