Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention.
Using Leitschuh’s demo, we have confirmed that the vulnerability works — clicking a link if you have previously installed the Zoom app (and haven’t checked a certain checkbox in settings) will auto-join you to a conference call with your camera on. Others on Twitter are reporting the same:
Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh’s account, Zoom doesn’t appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it’s not an issue with their browsers, there’s not much those developers can do.
Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Leitschuh writes.
You can “patch” the camera issue yourself by ensuring the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting, illustrated below. Again, simply uninstalling Zoom won’t fix this problem, as that web server persists on your Mac. Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post.
In a statement to The Verge and other publications (here’s ZDNet), Zoom says it developed the local web server in order to save the user some clicks, after Apple changed its Safari web browser in a way that requires Zoom users to confirm that they want to launch Zoom each time. Zoom defends the “workaround” as a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
The company says it will tweak the app in one small way: starting in July, Zoom will save users’ and administrators’ preferences for whether video will be turned on, or not, when they first join a call. Overall, it sounds like Zoom doesn’t plan to drastically change how its app behaves on Macs to avoid getting sucked into an unwanted call, but will instead rely on users to turn their cameras off by default.