Lily Hay Newman
Zoom has gained devotees—and a post-IPO boom—thanks to its dead simple video conferencing tech. Joining a call is particularly easy; with the click of a meeting URL, the page automatically launches the desktop app, and you’re in. But as security researcher Jonathan Leitschuh discovered, that seamlessness comes with a striking set of vulnerabilities for Zoom users on Apple computers—including one that could let an attacker hijack your webcam.
On Monday, Leitschuh publicly disclosed details of how an attacker could set up a malicious call, trick users into clicking a link to join it, and instantly add their video feed, letting them look into a victim’s room, office, or wherever their webcam is pointing. In addition, Leitschuh found that attackers could also launch a denial of service attack against Macs by using the same mechanism to overwhelm them with join requests.
Zoom patched this DoS issue in a May update, but for now is only adjusting its auto-join video settings, giving users a more prominent way of choosing whether their video feed automatically launches when they click a Zoom call link. Leitschuh says that the new fix is still not enough to address user privacy concerns, or the underlying insecurity of the flow that allows Zoom to launch calls from meeting URLs so smoothly.
“Without the user giving any explicit consent nor taking any explicit action they would be instantly dropped into a Zoom meeting,” Leitschuh says of a malicious Zoom call attack. “By default Zoom shows video, but doesn’t send audio, though both settings are changeable. So depending on their video and audio settings, victims would potentially be immediately broadcasting themselves, perhaps even without their knowledge if they’re not looking at their screen.”
To demonstrate the severity of the vulnerability, Leitschuh published some proof of concept attack links; click on them, and you’ll automatically join a call. Since Zoom hasn’t issued the update meant to address this yet, the demo still very much works.
The vulnerability stems from a conscious choice on Zoom’s part. To reduce friction from the video chat experience, Zoom sets up a local web server on every user’s Mac that allows call URLs to automatically launch the desktop app. Zoom says that this setup is in place as a “workaround” to a feature of Safari 12 that would require users to approve Zoom launching every time they click a call link. And though the workaround is there to deal with a Safari feature, the same setup applies no matter which browser you launch a Zoom link from. Zoom doesn’t offer quite such a frictionless experience on Windows, but there’s a box you can check to permanently dismiss the prompts and start video automatically that would put you in a similar situation.
“The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem,” Zoom said in a statement late Monday night. “We are not alone among video conferencing providers in implementing this solution.”
“This is a very disturbing set of bugs, but unsurprising given other Zoom issues.”
Thomas Reed, Malwarebytes
The Safari feature does add an extra step for users. But by circumventing that step, Zoom potentially exposes its users to strangers ogling them online—which demonstrates the need for that extra layer of permission in the first place. Additionally, Leitschuh points out that Zoom’s local web server persists on your Mac even if you uninstall the Zoom desktop app. If you ever click a Zoom call link again, the program can quickly, automatically download and reinstall itself through the web server.
“Having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me,” Leitschuh wrote in his report, noting that he combed the web for details about Zoom’s application programming interface for this feature and couldn’t find anything. “The fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me.”
Zoom has added a cryptographic signing mechanism for requests made to the local web servers, which is an authentication improvement, but Leitschuh has already proposed a way that an attacker could bypass the protection.
“This is a very disturbing set of bugs, but unsurprising given other Zoom issues I’ve observed and reported in the past. The local web server is honestly the most concerning part, and it’s not fixed,” says Thomas Reed, a Mac research specialist at the security firm Malwarebytes. “The web server is concerning, because of the possibility that someone could find a way to use it remotely to trigger remote code execution.”
As Leitschuh points out, researchers at the security exposure assessment firm Tenable recently discovered such a remote code execution bug in Zoom that could have been combined with these new findings to attack not just Zoom, but a user’s broader Mac system. Zoom has patched the Tenable vulnerability.
“This Zoom vulnerability is especially concerning and downright creepy because it doesn’t require a user to be on a Zoom call,” says Tenable’s David Wells. “The Zoom flaw I found last year would allow an attacker to invoke keystrokes on remote machines, even without being a meeting attendee. Combining both vulnerabilities in a targeted attack would be extremely dangerous.”
It won’t fully do so here. Instead, to address the auto-join video feeds feature, Zoom is adding a tweak in an upcoming update that will use the setting people choose in their first-ever Zoom call as the default for future calls. If you decide in your first call that you want to manually add video each time, that will be the default for every call thereafter. In the current version of Zoom, you can add similar protection for yourself by going to Settings/Preferences > Video > Meetings > Turn off my video when joining a meeting.
Leitschuh told Zoom on March 26 that the company had 90 days—a standard deadline in information security—to fix the issues. He declined to join Zoom’s private bug bounty program, because of its nondisclosure agreement requirements. Zoom now says that it is going to launch a public bug bounty in the next few weeks. “We acknowledge that our website currently doesn’t provide clear information for reporting security concerns,” the company says.
For now, make sure your Zoom is up to date and change your video settings to block auto-joining. The situation is an important reminder, though, that given the choice between protecting security and privacy or prioritizing convenience, Zoom unabashedly chose convenience. And will continue to do so.
Updated July 9, 2019 12:10pm ET to include details about Zoom on Windows and comment from Tenable.
More Great WIRED Stories