On Monday, security researcher Jonathan Leitschuh publicly disclosed a serious zero-day vulnerability in conferencing software Zoom, which apparently achieves its click-to-join feature – allowing users to go directly to a video meeting from a browser link on Mac computers – by installing a local web server running as a background process that “accepts requests regular browsers wouldn’t,” per the Verge. As a result, Zoom could be hijacked by any website to force a Mac user to join a call without their permission, and with webcams activated unless a specific setting was enabled.
Worse, Leitschuh wrote that the local web server persists even if Zoom is uninstalled and is capable of reinstalling the app on its own, and that when he contacted the company they did little to resolve the issues.
In a Medium post on Monday, Leitschuh provided a demo in the form of a link that, when clicked, took Mac users who have ever installed the app to a conference room with their video cameras activated (it’s here, if you must try yourself). Leitschuh noted that the code to do this can be embedded in any website as well as “in malicious ads, or it could be used as a part of a phishing campaign.”
Additionally, Leitschuh wrote that even if users uninstall Zoom, the insecure local web server persists and “will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
This implementation leaves open other nefarious ways to abuse the local web server, per the Verge:
Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Leitschuh writes.
According to Leitschuh, he contacted Zoom on March 26, saying he would disclose the exploit in 90 days. Zoom did issue a “quick fix” patch that only disabled “a meeting creator’s ability to automatically enable a participants video by default,” he added, though this was far from a complete solution (and did nothing to negate the “ability for an attacker to forcibly join to a call anyone visiting a malicious site”) and only came in mid-June.
On July 7, he wrote, a “regression in the fix” caused it to no longer work, and though Zoom issued another patch on Sunday, he was able to create a workaround.
To fix the issue, Leitschuh advises Mac users who have the app installed to update to the latest version and then click a button in settings to “Turn off my video when joining a meeting,” as seen above. He also provided a set of Terminal commands that can disable the local web server and prevent it from reinstalling itself, which can be seen in his Medium post.
“In my opinion, websites should not be talking to Desktop applications like this,” Leitschuh warned. “There is a fundamental sandbox that browsers are supposed to enforce to prevent malicious code from being executed on users machines… Having every Zoom user have a web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom.”
“As of 2015 Zoom had over 40 million users,” Leitschuh concluded. “Given that Macs are 10% of the PC market and Zoom has had significant growth since 2015 we can assume that at least 4 million of Zoom’s users are on Mac… All of the vulnerabilities described in this report can be exploited via ‘drive-by attack’ methodologies… I believe that in order to fully protect users, I truly believe that this localhost web server solution needs to be removed.”
Zoom has doubled down on its implementation of the click-to-join feature, per ZDnet, though it said it would issue additional updates.
In a statement to the site, Zoom wrote that it was a “workaround” to changes in Safari 12 and that running the local web server as a background process is a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.” According to ZDNet, Zoom also said it would save users’ decision on whether to turn off video in their first call and apply that setting to future meetings.