Zoom responds to major vulnerability in Mac app that can allow sites to hijack webcam

Late last night, it was reported that a major vulnerability within the Zoom Mac app had been discovered, which basically made it possible for some sites to hijack a computer’s webcam.

The zero-day vulnerability was discovered by security researcher Jonathan Leitschuh, which he had initially reported to Zoom back in March. Leitschuh recently published the details of the vulnerability to his Medium account, detailing how it works, and how dangerous it could be for Zoom users.

The general gist is this: When you install the video conferencing app, Zoom, on your Mac, it also installs a web server directly on your computer. This actually “accepts requests regular browsers wouldn’t”, according to a report from The Verge. That web server is running as a background process, which makes it possible to “forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission”.

In the original Medium post, links are provided to test out the vulnerability. Doing so will have the user join a conference call, with the camera already activated, without the user’s direct acceptance of such.

What’s worse, due to the fact that the web server is installed directly on the computer, even if the Zoom application is uninstalled it remains present. Which means the vulnerability works even if the user doesn’t have Zoom installed any longer.

As noted above, Leitschuh informed Zoom of the vulnerability back in March, and the researcher has put together a detailed timeline of how this all came to pass before the public disclosure on Monday night. According to Leitschuh, the regression was fixed on July 8, however, he was able to quickly find a workaround.

What’s more, Leitschuh says that Zoom does not have a worthwhile auto-update process implemented, which means that many Zoom users out there in the wild are potentially using an older version of the software, and fully capable of running afoul of the vulnerability.

Now, Zoom has responded to the issue, and has sent out an update to fix the issue:

The July 9 patch to the Zoom app on Mac devices detailed below is now live. You may see a pop-up in Zoom to update your client, download it at zoom.us/download, or check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.

The company has a full blog post on the matter, which, if you are a Zoom user, is definitely worth checking out. But, here’s a brief snippet, where the company points out that it is possible to disable the Zoom client from automatically activating the webcam when joining a video conference:

This week, a researcher published an article raising concerns about our video experience. His concern is that if an attacker is able to trick a target Zoom user into clicking a web link to the attacker’s Zoom meeting ID URL, the target user could unknowingly join the attacker’s Zoom meeting. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed. Of note, we have no indication that this has ever happened.

In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.

Now, if you’re curious and you want to check for the Zoom vulnerability, and how to clean it up (and you don’t mind using the Terminal app), Glen Maddern’s posts on Twitter are a great place to start:

Zoom has been heralded as one of the best video conferencing apps and services out there, but this is a huge vulnerability. Still, it’s possible that Zoom can bounce back pretty quickly — especially if it can upgrade its auto-update mechanism to actually make sure the new, patched software is on more machines out there.

Are you a Zoom user?