A serious zero-day vulnerability has been disclosed in Zoom video conferencing app on the Mac. Disclosed by security researcher Jonathan Leitschuh in a Medium post earlier today, the vulnerability allows any malicious website to forcibly join a Mac user to a Zoom call with a video camera activated. Even after you have uninstalled the application, the Web server remains functional and “can reinstall the Zoom client without requiring any user interaction.”
- Zoom installs a local Web server on Mac
- Even after deleting the Zoom app, the Web server remains functional
- Web server can even re-install Zoom client without user interaction
Leitschuh writes in a post that the security vulnerability potentially exposes hundreds of thousands of businesses that use Zoom for Mac on a daily basis to exploitation. The flaw is a result of a Zoom feature that triggers the Zoom client when a Zoom meeting link is clicked. Unless the user has explicitly configured their Zoom client to disable video upon joining meetings, their video is immediately shared with anyone they are in a Zoom call with, including an attacker who has exploited the vulnerability to trigger a video call.
According to Leitschuh, the vulnerability could also allow any webpage to DoS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. This is, however, only possible if a person is running an older unpatched version of Zoom, which included another vulnerability.
Leitschuh originally disclosed the flaw on March 26, 2019, but he mentioned the first actual meeting about how the vulnerability would be patched occurred on June 11, 2019, only 18 days before the end of the 90-day public disclosure deadline.
The timeline in the Medium post shows that Zoom fixed the vulnerability on June 21. But a regression earlier this month caused the bug to resurface again, prompting Zoom to fix the issue yesterday.
Leitschuh wrote, “Zoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the user’s video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site.”
Zoom has responded that it doesn’t see “video on by default as a security vulnerability,” and that it allows users to set their own video preferences.
Zoom also said it developed the local web server as a workaround to changes that were added in Apple’s Safari browser that prompted Zoom users to confirm if they want to launch the app each time they clicked on a meeting link.
“The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting,” the company said.
