Serious Zoom security flaw could let websites hijack Mac cameras

Photo by Vjeran Pavic / The Verge

Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention.

Update, 5:15PM ET July 9th: Zoom has published a blog post detailing its response to this vulnerability, including how it will patch its software and uninstall the webserver it has installed on Macs. More details here, and original story follows.

Using Leitschuh’s demo, we have confirmed that the vulnerability works — clicking a link if you have previously installed the Zoom app (and haven’t checked a certain checkbox in settings) will auto-join you to a conference call with your camera on. Others on Twitter are reporting the same:

Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh’s account, Zoom doesn’t appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it’s not an issue with their browsers, there’s not much those developers can do.

Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Leitschuh writes.

You can “patch” the camera issue yourself by ensuring the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting, illustrated below. Again, simply uninstalling Zoom won’t fix this problem, as that web server persists on your Mac. Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post.

In a statement to The Verge and other publications (here’s ZDNet), Zoom says it developed the local web server in order to save the user some clicks, after Apple changed its Safari web browser in a way that requires Zoom users to confirm that they want to launch Zoom each time. Zoom defends the “workaround” as a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”

The company says it will tweak the app in one small way: starting in July, Zoom will save users’ and administrators’ preferences for whether video will be turned on, or not, when they first join a call. Overall, it sounds like Zoom doesn’t plan to drastically change how its app behaves on Macs to avoid getting sucked into an unwanted call, but will instead rely on users to turn their cameras off by default.

Update, 12:24 AM ET: Added statement and info from Zoom.

Comments

Ooohhh. Zoom is a great service but whatever their rationale for this webserver they’re installing it’s plainly unacceptable.

They are trying to spin it as ‘a positive user experience’ to save one click.

When people said Macs were secure, I thought that meant macOS wouldn’t allow this kind of stuff. Don’t really know how macOS works but I suppose that isn’t the case?

macOS can only do so much by way of protecting users from the apps that are out there. Technically, this is working as Zoom intended. It’s a legitimate way of the app operating that has terrible consequences when abused.

Yeah, but I was under the impression that macOS was somehow more idiotproof.

Nothing stops the user from clicking "yes" on an admin credentials pop up.

It’s legitimate software with a serious flaw, nothing to do with any inherent weakness in MacOS. The damage is already done by installing Zoom.

The old argument was: MacOS has a smaller install base and therefore hackers rarely target them as targeting Windows is more profitable due to it’s vastly superior install base. But it’s nothing that physically stops people from creating exploits for MacOS, so it’s not more secure due to the way it’s coded.

No, that’s not the reason. OS X / MacOS (and the Unix version it is based on) are fundamentally more secure, especially compared to the older versions of Windows that were out when viruses were a thing.. The entire "user base is smaller so not worth it" baloney has been debunked multiple times.

This one isn’t on Apple. I’m assuming Zoom needed admin access to install this, and once the user unknowingly ageeed to this vulnerability with root powers, it was all over.

An app in the Mac AppStore would not be able to have these sort of permissions. Zoom is not in the Mac AppStore. You have to browse the web and find it yourself and install it the old fashioned way.

In this case, it’s like installing a buggy Windows app that deletes all your data. It’s not Microsoft’s fault. Unless it’s in the Windows Store, in which case there’s a responsibility argument.

I’ve had a Mac since 1984 (the original, still have it in working order) and my current is 2017 15" MBP. I always look to the App Store first for any need and the only times I go outside it is for something I need (like Cisco Jabber or Palo Alto Global Connect VPN, both used for connecting to corporate purposes). So I’ve never heard of Zoom.

I use Little Snitch as well, so even if I had installed this pathetic program, I would’ve discovered its nefarious connections eventually.

Me too, the first time I got my Mac in 1984 I installed Little Snitch from the App Store. Never had a problem since.

When people said Macs were secure, I thought that meant macOS wouldn’t allow this kind of stuff.

People have been misled by historically false Apple advertising, spreading the dangerous misapprehension that using Macs somehow conferred some kind of immunity to malware.

Linux fans suffer the same problem. Its called security in obscurity – but thats not security at all.

Not true. But I don’t think anyone’s going to convince you.

Not true. But I don’t think anyone’s going to convince you.

Mac Malware is real and growing. Being aware of the reality is the first step in being able to keep yourself and your data secure.

https://www.scmagazineuk.com/mac-malware-rockets-270-percent-users-warned-safe-perception-wrong/article/1473073

The default settings for MacOS wouldn’t allow a user to install Zoom. As shipped, a Mac can only download from the Mac App Store.

In order to download and run Zoom, the user has to override the default settings twice. First to allow the Mac to download apps from the internet at all. And then, when launching the downloaded app, by confirming that the user wants to launch an application downloaded from the Net, not the App Store.

There’s only so much any OS can do, unless, like iOS, you refuse to allow anything outside of the App Store to be loaded.

This is true, but it sucks when for people like my siblings (and myself), have to do things for education or work that make us download apps outside of the app store, and those same apps we trust, exploit the trust we gave them.

Fundamentally, Apple needs to change the App Store on the mac to make it more appealing to developers so this sort of stuff doesn’t happen.

If an app installs a web server is it really just an app?

…and then doesn’t remove the new web server during uninstall

I appreciate Apple’s stance on and commitment to privacy.

That being said, I find it odd that they consistently have the biggest privacy gaffs in the tech world. The FaceTime bug, the iCloud hack, this issue in this article.

How can the one company that takes privacy seriously have the most privacy gaffs? Definitely strange.

Could you please provide your address so I can send you the bill for the surgery I now need due to detached retinas from extreme eye-rolling?

What you suggest is that bugs are equal to policy. Their privacy policy is head and shoulders above everyone else in the industry, and it’s not even close. And of the issues you mentioned, only the FaceTime bug is on Apple, but a privacy policy issue it is not, it was simply a bug that was patched within a week of discovery, and there were VERY specific steps that had to be taken in order to even activate the bug. On top of that, Apple immediately disabled the offending feature until the bug fix was released, rendering the actual effect of this bug near meaningless outside of tech nerd sites like this one. The iCloud "hack" was not a hack at all, but a social engineering scheme of celebrities’ compromised Gmail and iCloud accounts that were then used to reset iCloud passwords using very primitive methods (phishing, brute force, etc.), granting access. Since then, Apple has since made two-factor auth basically mandatory for any new useful features (Unlock Mac w/ Apple Watch, using Apple Pay Cash, etc.), effectively forcing almost all users to adopt it, which is a huge win. And the issue in this article is not on Apple, but on Zoom and how they make the app operate. It is operating exactly as they intended it to, but that has the potential to get abused, and how Zoom decided to ship it anyway is beyond me.

I agree with everything you said. My point is, these unfortunate circumstances and serious bugs don’t seem to happen with Windows or Android, both platforms which have around 5 to 10 times the userbase of their Apple counterparts.

Just saying that it appears we have seen this enough times that it can’t be chalked up to coincidence. Call it bad software or whatever. There’s certainly a reason that it’s happening.

ha HA "these unfortunate circumstances and serious bugs don’t seem to happen with Windows or Android"

You’re telling me Android isn’t plagued by counterfeit apps in the Play Store and that Windows isn’t laden with viruses, even in 2019? (1194 current active threats according to Symantec)

View All Comments
Back to top ↑