Today, security researcher Jonathan Leitschuh has publicly revealed a serious zero-day vulnerability for the Zoom videoconferencing application on Mac. He has shown that any website can open a video-enabled call on a Mac with the Zoom app installed That's possible in part because the Zoom app apparently installs a web server on the Mac that accepts requests that regular browsers do not. In fact, if you uninstall Zoom, the web server persists and you can reinstall it without your intervention.
With the Leitschuh demo, we have confirmed that the vulnerability works: click on a link if you have previously installed the Zoom application (and you have not checked a certain checkbox in the configuration) it automatically joins you to a conference call with your camera on. Others on Twitter report the same thing:
Leitschuh explains how he responsibly revealed the vulnerability to Zoom at the end of March, which gives the company 90 days to solve the problem. According to the Leitschuh account the zoom does not seem to have done enough to solve the problem. The vulnerability was also revealed to the Chromium and Mozilla teams, but since it is not a problem with their browsers, there is not much that these developers can do.
Turning on the camera is bad enough, but the existence of the web server is activated. their computers could open more significant problems for Mac users. For example, in an earlier version of Zoom (from patching), it was possible to run a denial of service attack on the Mac by constantly pinging the web server: "By simply sending Repeated GET requests from an incorrect number, the Zoom application would constantly request "focus" from the operating system, "Leitschuh writes.
You can "patch" this problem yourself by making sure the Mac application is up to date and also by disabling the settings that allow Zoom to turn on your camera when you join a meeting, illustrated below. Again, simply uninstalling Zoom will not solve this problem, since the web server persists on your Mac. Shutting down the web server requires running some terminal commands, which can be found at the bottom of the Medium post.
We have contacted Zoom for comments and will update when we receive a response directly. In the comments to ZDNet Zoom says that the web server is a "legitimate solution for a poor user experience, which allows our users to have meetings without problems with a single click". ZDNet also says that Zoom will take other measures:
Zoom said at its July launch, it would avoid if the user deactivates the video on their first call and applies it to future meetings, with these changes occurring in all its platforms.
Thanks to the Leitschuh report, Zoom also eliminated the possibility that the call host has participants automatically with the video enabled.
Updated at 9:40 p.m. ET with comments Zoom provided to ZDNet.