Macs vulnerable to 'bananas' Zoom video flaw

This setting which defaults to ON controls whether a Zoom meeting has video automatically enabled

This setting which defaults to ON controls whether a Zoom meeting has video automatically enabled

Zoom, a company that sells video conferencing software for the business market, is tweaking the app to fix a vulnerability in its software that allows malicious websites to force users into a Zoom call with the webcam turned on.

The same feature can be exploited to spy on Zoom users, according to security researcher Jonathan Leitschuh, who started investigating the app earlier this year. Obviously, this vulnerability is something malicious snoopers and cyber pranksters could exploit.

Leitschuh first contracted Zoom in March regarding the vulnerability. That web server also allows the Zoom app to be reinstalled without requiring any user interaction. And having a web server on a local machine is also pretty dodgy as it opens up that computer to all manner of cyber nasties, notably denial of service attacks if a hacker was to spam the local web server with repeated GET requests.

Even worse, you can't close this vulnerability by just deleting the Zoom app, because Zoom installs a hidden Web server on your Mac that will reinstall the Zoom client for you if you click a Zoom link.

However, Leitschuh said that Zoom still has not fixed the forcible joining of users to call features, or the webserver re-installing uninstalled clients if webpages ask them to flaw. In a blog post, Richard Farley, Zoom's chief information security officer, said that Zoom users can set a preference for video on or off when joining a meeting. In your Zoom app's Settings page, check the box "Turn off my video when joining a meeting", which will disable automatic webcam activation.

Zoom said in its July release, it would save whether the user turns off video in their first call and apply it to future meetings, with these changes will occur on all its platforms.

Thanks to the report, Leitschuh said Zoom also removed the ability for a call host to automatically have participants join with video enabled. See below for how to prevent Zoom turning on your camera by default when you join a meeting.

More news: China's CPI up 2.7% in June
More news: Arsenal target Mario Lemina makes Man Utd transfer decision
More news: NBA Approves Coach's Challenge For 19-20 Season

TidBITS Security Editor Rich Mogull had this to say: "Zoom's efforts to circumvent Safari's native security are completely irresponsible".

To demonstrate the threat, Leitschuh created proof-of-concepts showing how the attack can work.

Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. "Then you can delete the ~/.zoomus directory to remove the web server application files", Leitschuh explained. "The host or any other participant can not override a user's video and audio settings to, for example, turn their camera on".

Amid a surge of online outcry today, Zoom's blog post about the webcam vulnerability has been updated repeatedly to eventually confirm that a security patch is being pushed out now to Mac users.

"Even for those who did not upgrade, Zoom will not use the local web server to join meetings automatically anymore as we have disabled it on our backend". A very poor decision by the folks at Zoom'.

The flaw is said to be partly due to a web server the Zoom app installs on Macs that 'accepts requests regular browsers wouldn't'. In addition, Zoom has a planned release this weekend (July 12) that will address another security concern: video on by default.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.