The web conferencing application Zoom contains serious zero day vulnerabilities that allow anyone to enable the camera on a Mac device – a security issue affecting over four million webcams and 750,000 companies, according to security researcher Jonathan Leitschuh, who disclosed the issue in a Medium post.

This issue arises on Mac devices, as once Zoom is installed it opens a web server on the local machine from port 19421. Any website that the user visits is able to interact with this web server running on the local machine. Zoom describes the issue as “a workaround to an architecture change introduced in Safari 12” and says its response (simply prompting users to turn off their video at the start of the call, then saving those settings) is “a legitimate solution to a poor user experience”.

Leitschuh created a personal meeting within the Zoom application with a different account. Then using a GET request, from the API tool Postman, he managed to successfully get his computer to join the private Zoom call he had established with the second account.

Pushing the Zoom vulnerability further he discovered that the local client Zoom web server “is running as a background process, so to exploit this, a user doesn’t even need to be “running” (in the traditional sense) the Zoom app to be vulnerable.”

Zoom Vulnerability“All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running. This is still true today!” Leitschuh notes, adding that as well as the privacy issues, the 0day could let an attacker embed malicious ads, among other exploits. It can also be used to instigate a Denial Of Service attack using GET requests.

In a public statement Zoom said: “Zoom installs a local web server on Mac devices running the Zoom client. This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting.

“We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”

In addressing the video vulnerability they have stated that all first-time Zoom users upon joining a meeting will be asked if they would like the video function turned off, saying: “As part of our July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”

Trouble Trying to Disclose Zoom Vulnerability

Leitschuh disclosed the vulnerability to Zoom on March 26, 2019 in which he proposed a ‘quick fix’ the company could have instigated that would have changed its server logic, negating the vulnerability. Zoom only confirmed the flaw ten days after contact. Just 18 days out from the 90-day public disclosure deadline he says Zoom started the conversation on how to patch the flaw.

While initially requesting confirmation of his disclosure he was informed that Zoom’s Security Engineer was Out of Office. In its public statement Zoom note that: “Once this particular issue was brought to our Security team’s attention, we responded within 1 hour, gathering additional details, and proceeded to perform a risk assessment. Our Security and Engineering teams engaged the researcher and were in frequent contact over a period of several weeks.”

However, Leitschuh quickly points out that: “I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability….Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard.”

“As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service.”

Not everyone agreed with the severity of this.

Tod Beardsley from security company Rapid7 said he thought the vulnerability may be somewhat overblown. He said in an emailed comment: “I‘m not entirely certain this is a bug in Zoom. For starters, there’s a (non-default) configuration setting that seems to totally mitigate this issue: In the MacOS client, go to zoom.us > Preferences > Video > ‘Turn off my video when joining meeting’.

“Since this is already my personal default, I was confused as to why the original proof of concept wasn’t working for me (I finally figured it out this morning). At any rate, given the existence of this mitigation, the bug actually seems to be down in the browser, not the Zoom client, where CORS policies aren’t enforced for localhost domains. This has been known for several years.

“There’s another bug in the Zoom client about how there is a local web server installed as part of the package that doesn’t get uninstalled, and that’s pretty bad hygiene. However, it’s a webserver that /only/ listens for local connections. It’s not accessible over the internet or the local network or anything. That said, if there’s ever an exploitable bug in that bit of left-behind code, it might be exploitable across the internet thanks to this CORS policy issue.

“Finally, there’s a denial of service condition that’s pretty annoying. That’s been patched as of 4.4.2. The short story is, an updated client and setting your webcam to not automatically start makes this zero-day go away.”

See Also: Tale of the Tape: The NSA’s Neal Ziring on the Slow Death of Punched Tape Crypto Keys