Zoom App Flaw Allows Mac Camera To Be Turned On Remotely

A zero-dat vulnerability has been discovered for the Zoom video conferencing app that can serious consequences for Apple Mac computers.

The flaw, discovered by security researcher Jonathan Leitschuh, revealed that any website can “forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”

The idea that anyone can remotely activated your laptop’s webcam will alarm many, and Zoom has responded and rushed out a patch for the app on Macs.

Camera issue

Webcams have been a potential privacy vulnerability if hacked by outside actors for a while now.

So much so that in 2016, a photo of Facebook CEO Mark Zuckerberg in his open plan office revealed that his laptop camera was covered with tape to prevent people from spying on him.

That doesn’t seem such a far reached idea after the researcher Leitschuh revealed that a vulnerability with the Zoom app meant that besides the ability to remotely active the Mac webcam, the vulnerability could also “have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.”

So in summary then it seems that the flaw exploits a feature that allows users to send a meeting link for a conference call.

Essentially, this link allows the website to initiate a video call through the Zoom app – even if the person on the other end hasn’t accepted.

And to make matters worse, if the user uninstalled Zoom it can still be reinstalled, without the user’s permission.

“Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage,” the researcher warned. “This re-install ‘feature’ continues to work to this day.”

The good news is that Zoom has published a blog post detailing its response to this vulnerability, including a patch for its software available here.

“We appreciate the hard work of the security researcher in identifying security concerns on our platform,” wrote the company. “Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”

Tardy response

But questions have been raised about the tardy response of Zoom to the flaw, as the researcher had originally responsibly disclosed on 26 March 2019.

“It took Zoom 10 days to confirm the vulnerability,” wrote Leitschuh. “The first actual meeting about how the vulnerability would be patched occurred on 11 June 2019, only 18 days before the end of the 90-day public disclosure deadline.”

This slow response has been noticed by security experts, who also slammed the firm for its decision about the uninstall option.

“A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner,” said Eoin Keary, CEO and co-founder of edgescan.

“This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline,” said Keary.

“What’s unfortunate, invasive and a violation of trust is when the software seems ‘ uninstalled’ but really isn’t,” he added. “This is a breach of transparency and exposes individuals who believe they don’t have the software installed to attacks. Persisting a webserver on a user’s machine whilst giving the impression it’s uninstalled is akin to a malicious threat actor. Its underhanded and breaches trust boundaries. A very poor decision by the folks at Zoom.”

Another expert said this example is a prime reason why people should tape over, or use camera covers, on their laptop webcams.

“This is a good example of why you should never overlook physical security,” explained Lamar Bailey, senior director of security at Tripwire.

“The little adhesive camera covers available by the dozens at every computer conference or for a couple dollars on Amazon are a much better solution that relying on software to do the right thing,” said Bailey. “We install so many apps these days it is hard to keep up with the permissions they require and what they turn on by default on upgrades and reinstalls. A physical barrier is far superior.”

“The same holds true for all assets everything should have the least common privilege,” said Bailey. “If a system does not need access to the internet then it should be blocked and any unrequired services should be disabled. If you can airgap parts of the network then do so. IoT devices should be segregated on different segments or vlans whenever possible. The more access a system or network has the more susceptible it is to breach.”

Do you know all about security? Try our quiz!