A security researcher has uncovered a vulnerability in the Mac client for Zoom’s video conferencing software which allowed attackers to view their webcam without the app being installed.
Jonathan Leitschuh detailed his discovery in a blog post, which claims that if an attacker is able to trick a Mac user into clicking a link with their meeting IR URL, the victim could unknowingly join the attacker’s meeting.
If the victim hadn’t configured their Zoom client to disable video upon joining meetings, which is enabled by default, they could become exposed.
Leitschuh also discovered that the same vulnerability could allow attackers to DOS (denial-of-service) a Mac device by repeatedly joining a user to an invalid call, freezing the computer as a result.
The vulnerability could be exploited even the Zoom client was no longer installed on a device. If the client was ever installed and uninstalled on a Mac, a local host web service would remain installed and running on the device, which can re-install Zoom without any user interaction.
Zoom said the reason for installing a local web server was a workaround to Safari 12 that requires users to accept launching Zoom before every meeting, allowing users to avoid an additional click before opening the client.
“We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator,” a Zoom spokesperson said in a statement.
Leitschuh disclosed the issue to Zoom on 26 March 2019, proposing a “quick fix” by disabling the ability for a meeting creator to enable a participants video by default, though this was not a solid solution.
Zoom implemented the fix by the time Leitschuh’s 90-day disclosure deadline ended, though the vulnerability reappeared soon after.
“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” Leitschuh said.
“An organisation of this profile and with such a large user base should have been more proactive in protecting their users from attack.”
A Zoom spokesperson responded, saying as part of its July 2019 that it would apply and save the user’s video preference from their first meeting to all future meetings, and would evaluate other similar features.
“Zoom believes in giving our customers the power to choose how they want to Zoom,” the spokesperson said.
“This includes whether they want a seamless experience in joining a meeting with microphone and video automatically enabled, or if they want to manually enable these input devices after joining a meeting.”
Zoom said it will also implement a public bug bounty program in the coming weeks, and that it will update its web submission form for security-related concerns.