ZOOM HAS GAINED devotees—and a post-IPO boom—thanks to its dead-simple video conferencing tech. Joining a call is particularly easy; with the click of a meeting URL, the page automatically launches the desktop app, and you're in. But as security researcher Jonathan Leitschuh discovered, that seamlessness comes with a striking set of vulnerabilities for Zoom users on Apple computers—including one that could let an attacker hijack your webcam.
On Monday, Leitschuh publicly disclosed details of how an attacker could set up a malicious call, trick users into clicking a link to join it, and instantly add their video feed, letting them look into a victim's room, office, or wherever their webcam is pointing. In addition, Leitschuh found that attackers could also launch a denial of service attack against Macs by using the same mechanism to overwhelm them with join requests.
Zoom patched this DoS issue in a May update but for now is only adjusting its auto-join video settings, giving users a more prominent way of choosing whether their video feed automatically launches when they click a Zoom call link. Leitschuh says the new fix is not enough to address user privacy concerns or the underlying insecurity of the flow that allows Zoom to launch calls from meeting URLs so
“Without the user giving any explicit consent nor taking any explicit action, they would be instantly dropped into a Zoom meeting,” Leitschuh says of a malicious Zoom call attack. "By default, Zoom shows video but doesn't send audio, though both settings are changeable. So depending on their video and audio settings, victims would potentially be immediately broadcasting themselves, perhaps even without their knowledge if they're not looking at their screen."
To demonstrate the severity of the vulnerability, Leitschuh published some proof-of-concept attack links; click on them and you'll automatically join a call. Since Zoom hasn't issued the update meant to address this yet, the demo still very much works.
The vulnerability stems from a conscious choice on Zoom's part. To reduce friction from the video chat experience, Zoom sets up a local web server on every user’s Mac that allows call URLs to automatically launch the desktop app. Zoom says that this setup is in place as a “workaround” to a feature of Safari 12 that would require users to approve Zoom launching every time they click a call link. And though the workaround is there to deal with a Safari feature, the same setup applies no matter which browser you launch a Zoom link from. Zoom doesn't offer quite such a frictionless experience on Windows, but there's a box you can check to permanently dismiss the prompts and start video automatically, which would put you in a similar situation.
“The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user-experience problem,” Zoom said in a statement late Monday night. “We are not alone among video conferencing providers in implementing this solution.”
The Safari feature does add an extra step for users. But by circumventing that step, Zoom potentially exposes its users to strangers ogling them online—which demonstrates the need for that extra layer of permission in the first place. Additionally, Leitschuh points out that Zoom’s local web server persists on your Mac even if you uninstall the Zoom desktop app. If you ever click a Zoom call link again, the program can quickly download and reinstall itself automatically through the web server.
“Having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me,” Leitschuh wrote in his report, noting that he combed the web for details about Zoom’s application programming interface for this feature and couldn’t find anything. “The fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me.”
Zoom has added a cryptographic signing mechanism for requests made to the local web servers, which is an authentication improvement, but Leitschuh has already proposed a way that an attacker could bypass the protection.
"This is a very disturbing set of bugs, but unsurprising given other Zoom issues I’ve observed and reported in the past. The local web server is honestly the most concerning part, and it's not fixed," says Thomas Reed, a Mac research specialist at the security firm Malwarebytes. "The web server is concerning because of the possibility that someone could find a way to use it remotely to trigger remote code execution."