A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.
In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.
In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.
Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.
While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.
Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.
Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.
Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
Update 2: Zoom is no longer taking a defensive stance and has now released a patch.
In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.
In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.
Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.
While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.
Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.
Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.
Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
Update 2: Zoom is no longer taking a defensive stance and has now released a patch.
36 comments
Apple today announced it has released its Research app with three studies related to heart and movement, women's health, and hearing. The app is designed to make it easier for iPhone users to...
Apple is considering bundling its subscription services as early as 2020, including Apple Music, Apple TV+, and Apple News+, according to Bloomberg.
The report indicates that Apple has...
Apple this evening shared a new trailer for its upcoming Apple TV+ show "Servant," which is set to come out in just over two weeks.
This particular clip shows a doll maker creating...
Stanford Medicine today published results from the Apple Heart Study that kicked off in 2017, marking the third time data from the study has been shared (via Reuters and CNBC).
The aim of the...
Apple CFO Luca Maestri is teaming up with auction site Charitybuzz to offer Apple fans the opportunity to bid on lunch with Maestri and a tour of the Apple headquarters in Cupertino, California.
...
Apple plans to release new iPad Pro models with rear 3D sensing in the first half of 2020, according to analyst Ming-Chi Kuo.
In a research note with TF International Securities, seen by...
Apple Music was today updated with a new feature called Replay, which is designed to allow Apple Music subscribers to take a look at the music that they listened to most in 2019.
Available on...
Apple's marketing chief Phil Schiller has spoken with CNET's Roger Cheng about the new 16-inch MacBook Pro, reflecting on the new Magic Keyboard, the Touch Bar, and many other aspects of the...
