Zoom Mac flaw allows webcams to be hijacked – because they wanted to save you a click

Graham Cluley

Zoom

Zoom

Dumb. Shameful. Downright rude.

Three of the words I could use to describe the Zoom video conferencing app after a serious security issue was discovered in its Mac version.

Security researcher Jonathan Leitschuh has shared details of a vulnerability that can allow any maliciously-crafted webpage to open-up a video call to a Mac which has the Zoom app installed.

In short, any website can turn on your Mac’s webcam without asking your permission.

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Now, you might think that taking the nuclear option of uninstalling Zoom from your Mac means you’re no longer at risk of having someone unexpectedly spying on you.

If you thought that, you’d be mistaken though. Because, as Leitschuh describes, when you initially installed Zoom it also installed a web server on your Mac. And even after Zoom is uninstalled from your computer, the web server code continues to run on your Mac in a hidden directory – waiting for you to visit a Zoom meeting link, whereupon it will (without asking your permission) reinstall Zoom.

That doesn’t just suck, it’s downright rude. I want to control whose apps get installed on my computer. A typical Mac user would believe that dragging the Zoom app into the trash can would uninstall the app, not leave behind code that can reinstall the app in the blink of an eye without a user’s explicit permission.

Zoom hasn’t just installed the web server on your Mac to reinstall its app, however. It’s also using it to update Zoom, and aid the launching of calls.

Leitschuh expressed his nervousness about this approach:

In my opinion, websites should not be talking to Desktop applications like this. There is a fundamental sandbox that browsers are supposed to enforce to prevent malicious code from being executed on users machines.

Having every Zoom user have a web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom.

Zoom, however, appears to think the installation of its webserver code is justifiable because it’s a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings.”

Leitschuh describes how he responsibly disclosed the vulnerability to Zoom in March, alongside details of how Macs could be hit by a denial-of-service attack by bombarding the web server with pings. The researcher gave Zoom 90 days to fix the issues before going public.

After a lot of back and forth, the denial-of-service vulnerability was fixed in version 4.4.2 of the Zoom app.

However, Zoom’s response to the other concerns were a “quick fix” patch that only disabled “a meeting creator’s ability to automatically enable a participants video by default.”

(Yes, by default Zoom let the host of a video call decide if participants will automatically join with their video enabled, rather than the participants make that rather important decision. How dumb is that?)

According to Leitschuh, Zoom fix for this vulnerability “regressed” on June 7 2019, allowing the vulnerability to still be exploited with the video camera activated.

In a blog post, Zoom has attempted to defend the way its app works, claiming that users are able to turn video off when they join a meeting. Zoom also argues that users would become aware that they had joined a meeting:

“…because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened.”

The company goes on to say that it will be making changes in its next update:

“As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”

I’m not impressed by the tone of Zoom’s response, which feels in places like it has been written by the PR department.

And I really don’t like the idea anymore of having Zoom’s conferencing app on my Mac. So I’ve uninstalled it. But, of course, that’s not enough. I also need to remove the web server that Zoom sneakily also installed on my Mac, which could reinstall Zoom without my permission at a moment’s notice.

If you want to do the same, be sure to read the end of Leitschuh’s article where he gives technical instructions on how shut down the web server and prevent it from being installed.

For more discussion of this, listen to this edition of the “Smashing Security” podcast, and hear how pissed off I was:

Smashing Security #136: 'Oops, we created Iran's hacking exploit'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Update: Apple pushes out silent update to remove sketchy Zoom code from Macs

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.