A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.
In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.
In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.
Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.
While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.
Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.
Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.
Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
Update 2: Zoom is no longer taking a defensive stance and has now released a patch.
In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.
In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.
Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.
While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.
Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.
Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.
Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
Update 2: Zoom is no longer taking a defensive stance and has now released a patch.
36 comments
The Apple Watch Series 5 is set to launch this Friday, September 20, but the embargo for the first reviews of Apple's latest smartwatch ended this morning. Several journalists and media outlets...
Apple's new 2019 iPhone lineup uses modems from Intel rather than Qualcomm, PCMag confirmed today thanks to the devices' field test screens.
We already expected Apple to use Intel modems...
A U.S. District Judge in San Jose today certified a class action lawsuit that accuses Apple of using "inferior" refurbished products as replacements for its AppleCare and AppleCare+...
Likely-accurate battery and RAM specifications for the iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max have surfaced in filings submitted to Chinese regulatory agency TENAA and uncovered by...
Apple provided iPhone 11, 11 Pro, and 11 Pro Max review units to members of the media following its September 10 event, and today, those reviews were published, giving us some insight into the new...
It's always interesting to get a look back at Apple's past, especially when it comes to prototype devices that were never actually released to the public, so we thought we'd share some...
Yesterday, noted Apple analyst Ming-Chi Kuo said that iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max pre-orders have been better than expected so far, noting that demand for the higher-end iPhone 11...
The iPhone 11 is set to launch this Friday, September 20, and in advance of that release date the first reviews for the smartphone have begun appearing online. Apple has provided review units of the...
