A Zero Day vulnerability allows any website to open up a video-enabled call on a Mac with the Zoom app installed. Here's how to patch it.
A Zero Day vulnerability in the Mac Zoom Client allows any malicious website to enable the machine's camera without the user's permission, potentially impacting the 700,000+ companies worldwide using Zoom for video conferencing each day, security researcher Jonathan Leitschuh disclosed in a post on Medium this week.
The vulnerability leverages Zoom's feature of allowing users to share a link that permits anyone to easily join a meeting. If you have ever installed Zoom on a Mac, the app installs a local web server, to get around changes introduced in Safari 12. You can check this on your Mac by running lsof -i :19421 in your terminal, Leitschuh found.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
Leitschuh said he was able to exploit the vulnerability to create a URL that could drop users into a call and force video and audio on without their permission.
In a statement to our sister site ZDNet, Zoom said it believed that running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
Meanwhile, Leitschuh wrote in his post that he doesn't feel Zoom has done enough to mitigate the vulnerability after it was disclosed to them. "Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner," he wrote. "An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack."
According to Richard Farley, CISO at Zoom, "once the issue was brought to Zoom's support team's attention via a support ticket, we responded within ten minutes, gathering additional details, and proceeded to perform a risk assessment. A few days delay in the initial risk assessment was the process of getting details from the researcher and getting him into our bounty program. Our determination was that both the DOS issue and meeting join with camera on concern were both low risk because, in the case of DOS, no user information was at risk, and in the case of meeting join, users have the ability to choose their camera settings. Our Security and Engineering teams engaged the researcher and were in frequent contact over the subsequent period."
Malicious actors can still use the exploit to launch someone into a call without their permission today, Leitschuh wrote.
How to patch the Zoom vulnerability
To patch the Zoom vulnerability, users can do the following, according to Leitschuh:
Disable the ability for Zoom to turn on your webcam when joining a meeting (Under Settings —> Video —> Meetings, check "Turn off my video when joining a meeting").
To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files.
To prevent the local server from being restored after updates, execute the following in your terminal (you can copy and paste the terminal commands here):
Zoom also has more information about upcoming patches in a https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/. For more, check out Online security 101: Tips for protecting your privacy from hackers and spies from ZDNet.
Editors' note: This story has been updated with a statement from Zoom and a link to the terminal commands.
How to become a cybersecurity pro: A cheat sheet (TechRepublic)
10 dangerous app vulnerabilities to watch out for (TechRepublic download)
Windows 10 security: A guide for business leaders (TechRepublic Premium)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)