A zero-day vulnerability in the Zoom client for Mac allows a malicious website to hijack a user’s web camera without their permission.
Up to 4 million workers that use the Zoom for Mac web-and videoconferencing service are at risk from a flaw in the collaboration client (CVE-2019–13450), according to researcher Jonathan Leitschuh (he noted that Mac users make up about 10 percent of Zoom’s customer base of 40+ million). An outside adversary would need only to convince a user to visit a malicious website with a specially crafted iFrame embedded, which would automatically launch a Mac user into a Zoom web conference while turning on their camera.
Leitschuh said that web conferencing services that use Zoom as their core platform, like Ringcentral, are also likely impacted.
The issue exists in the fact that the default setting for creating a new meeting is the “Participants: On” option. This automatically joins an invited person to the meeting, with webcam enabled, without the person having to give permission beyond clicking the meeting link itself.
Leitschuh was able to take this functionality a step further to create a proof-of-concept exploit for drive-by information disclosure. By embedding a meeting link into the iFrame of a webpage, anyone visiting that webpage would be automatically joined to that meeting, from which an adversary could view their camera feed.
“This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757), and when they open that link in their browser their Zoom client is magically opened on their local machine,” Leitschuh said in a Monday posting.
He added, “All a website would need to do is embed [a meeting link] in their website and any Zoom user will be instantly connected with their video running. This could be embedded in malicious ads, or it could be used as a part of a phishing campaign.”
In terms of who’s impacted, any Mac user that has ever used Zoom is at risk – thanks to a persistence feature in the service.
“If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage,” explained Leitschuh. “This re-install ‘feature’ continues to work to this day.”
He added, “The local client Zoom web server is running as a background process, so to exploit this, a user doesn’t even need to be ‘running’ (in the traditional sense) the Zoom app to be vulnerable.”
For users who haven’t updated recently, the situation could get worse, too. If combined with a remote-code execution flaw recently found by Tenable (since patched), CVE-2019–13450 would allow any website on the internet to launch code on a user’s machine.
“I advised Zoom that if they have any users that are still using Zoom 4.1.33259.0925 versions or lower, this would be a very potent attack,” the researcher said.
And, there’s also a second flaw (CVE-2019–13449), fixed in client version 4.4.2, that would allow an attacker to cause denial-of-service on a Mac by repeatedly joining a user to an invalid call.
Leitschuh disclosed the camera issue, which has a CVSSv3 severity score of 5.2 out of 10, to Zoom on March 26. While Zoom confirmed the vulnerability a couple of weeks later, the security team didn’t have a meeting with him on the bug until June 11. Zoom then implemented a quick fix that Leitschuh had suggested, but this only partially addresses the problem, he said.
“I was very easily able to spot and describe bypasses in their planned fix,” he said. “Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.”
Zoom didn’t immediately respond to Threatpost when asked for comment, but in a statement on its website, it downplayed the severity of the problem:
“Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened.”
It also said that as part of its upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings.
“Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting,” it said. “This change will apply to all client platforms.”
Bugs in conferencing platforms are not uncommon. In addition to Zoom’s issues, Cisco patched a critical vulnerability in the recording function of its WebEx conferencing platform late last year that could allow remote code execution. And Adobe last year worked to patch flaws in its conferencing software tool Adobe Connect.
In this case, Zoom users on Mac can protect themselves by manually disabling the ability for Zoom to turn on the webcam when joining a meeting.