If you’re one of the millions of Zoom video-conferencing users and have the app installed on a Mac, then you’re being advised to check your settings to ensure you have the video camera disabled by default—the tickbox is “turn off my video when joining a meeting,” and can be found in the video section of the settings.
This is because of a security flaw that has been disclosed today by researcher Jonathan Leitschuh under the zero-day approach. Users are also advised to ensure their apps are updated as patches are released by the company.
The flaw exploits an architectural vulnerability in Zoom, where a web server installed to improve user experience leaves systems open to malicious attack. Webcams can be activated—essentially by forcibly inviting users to ghost Zoom calls, denial of service attacks can be staged (since patched), and uninstalled apps can be reactivated, all without user permission.
Zoom explained this was done to improve patchy user experiences, telling ZDNet it was a workaround to changes in Safari 12—”a legitimate solution to poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
“First off,” Leitschuh said in his disclosure, “having an installed app running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me. Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a security researcher.”
Leitschuh accused Zoom of “painting a huge target on its back” through the use of the local server, opening up millions of users to attack through a poorly-architected technical solution, which essentially bypasses user browser safeguards in the interests of user experience. Safeguards which are clearly there for good reason.
Leitschuh disclosed the issue to Zoom back in March, which opens users up to a “vulnerability that leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example
https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine.”
In his disclosure, Leitschuh said that Zoom delayed acting on the vulnerability and did not discuss what he had found until 18-days before the end of the 90-day non-disclosure “grace period.” Then, on June 24 “after 90 days of waiting, the last day before the public disclosure deadline,” Leitschuh says that Zoom simply deployed a “quick fix” he had suggested to the company three-months earlier.
“Ultimately,” Leitschuh said, “Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.”
Tech-savvy users can hunt down and delete the application, “decompiling the Zoom client application.” For the rest of us, change that video setting and keep your app updated. There are no indications yet of major technical changes from Zoom to address this architectural weakness, so changing that video setting—and keeping it changed—seems like advice that will stick.
In a statement, Zoom confirmed the issue, acknowledging that “if an attacker is able to trick a target user into clicking a web link to the attacker’s Zoom meeting ID URL, either in an email message or on an internet web server, the target user could unknowingly join the attacker’s Zoom meeting.”
Zoom added that its July update “will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”
Zoom said it “takes all security concerns related to our products very seriously and has a dedicated Security team in place. We acknowledge that our website currently doesn’t provide clear information for reporting security concerns. As such, in the next several weeks, Zoom will go live with its public bug bounty program, supplementing our existing private program.”
Leitschuh, though, remains skeptical and recommends the zero-day approach instead, which has clearly ensure that this exposure has hit the headlines this time around.