iTnews

Zoom.us flaw forces users onto video and audio calls

By Juha Saarinen on Jul 9, 2019 11:29PM
Zoom.us flaw forces users onto video and audio calls

Uninstalled Zoom clients can be re-installed by webpages.

The macOS client application for the popular audio and video conferencing service Zoom can be made to forcibly join users to calls, activating Mac microphones video cameras without users being asked for permission, a researcher has found.

Security researcher Jonathan Leitschuh from software development automation company Gradle was curious how sending a simple meeting link would start up users' Zoom clients, simply by clicking on it so that the web browser would open it.

Leitschuh thought it was an "amazing bit of functionality" and wondered how it had been implemented securely by Zoom.

His curiosity led to the discovery of two serious vulnerabilities that are very simple to exploit, and which Leitschuh said exposes up to 750,000 companies around the world with over four million webcams being activated by malicious websites.

On top of being able to activate Mac webcams which Leitschuh wrote [Caution: link will join those who click on it to a call with the video camera activated] a proof of concept for , he said it's possible to launch denial of service attacks if a webpage repeatedly joins users to invalid calls.

Anyone who's installed the Zoom client and then uninstalled it will have a web server running on their machines listening on the localhost port.

This server will "happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage."

Leitschuh said it appears that Zoom is abusing a hack to bypass cross-origin resource sharing protections.

How to avoid being Zoomed

Although Leitschuh noted that Zoom did not fully fix the vulnerabilities within the 90-day industry standard disclosure period, users can can stop the client from turning on the webcam automatically if they're being joined to calls.

Going to the Settings dialog in the Zoom client, and then picking Video | Meetings | and ticking the Turn off my video when joining a meeting will see to this.

Running the UNIX list of open files command: lsof -i :19421 will reveal if the webserver bound to localhost is running, and provide its process identity number (PID).

With the process numbrer in hand, issue kill -9 [PID] and delete the ~/.zoomus directory to remove the web server application files, Leitschuh advised.

However, Leitschuh said that Zoom still has not fixed the forcible joining of users to call features, or the webserver re-installing uninstalled clients if webpages ask them to flaw.

The security researcher first contacted Zoom via email on March 26, and the company provided a quick fix solution.

Leitschuh was offered a bug bounty for his report the next day, which he declined as Zoom's policy is to require non-reporting of the vulnerability even after it's been patched.

[UPDATE]
Zoom will issue a patch for its macOS client that the company says will completely remove the local web server from users’ computers.
 
A manual removal option for the local web server is also introduced. From now on, Zoom will no longer use a local web server on Macs, the company said.
 
Zoom said that at first it did not see the local web server or the video being turned on by default as significant risk to customers. After user outcry and security community protestations as to the opposite however, Zoom changed its mind and decided to patch the client accordingly.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
macossecurityzoomzoomus

Partner Content

How a 'micro data centre' enables your business, your way
Promoted Content How a 'micro data centre' enables your business, your way
The case for postponing mainframe migration has eroded
Partner Content The case for postponing mainframe migration has eroded
Security through visibility: supporting Essential Eight cyber mitigation strategies
Promoted Content Security through visibility: supporting Essential Eight cyber mitigation strategies
Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Jul 9 2019
11:29PM
0 Comments

Related Articles

  • Videoconferencing apps can access muted mics
  • Emergency patches out for exploited Apple zero-days
  • Surprise Apple macOS and iOS updates fix a slew of vulnerabilities
  • Apple patches exploited iOS and macOS zero-day
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra to open its 5G network to wholesale customers

Telstra to open its 5G network to wholesale customers

Macquarie Bank creates a broker portal on Salesforce

Macquarie Bank creates a broker portal on Salesforce

Active Directory defaults lead to no-fix PrivEsc vulnerability

Active Directory defaults lead to no-fix PrivEsc vulnerability

Intel launches new AI chips

Intel launches new AI chips

Digital Nation

COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.