A vulnerability in the Mac client for popular web conferencing app Zoom may allow any website to join a video call without permission, writes software engineer and security researcher Jonathan Leitschuch. In a Medium post published today, Leitschuch detailed the vulnerability, writing that it may remain an issue even if users have uninstalled the Mac client: “If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost webserver on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”
Leitschuch included patches for the vulnerability, including how to disable the ability for Zoom to turn on your webcam when joining a meeting, a terminal command for disabling video by default and instructions on how to shut down the web server and remove web server application files.
In a timeline, Leitschuch said that the vulnerability was originally disclosed to Zoom on March 26, with a proposed “quick fix,” but that Zoom took 10 days to confirm the vulnerability, and that despite talking to the company he only saw on June 24 that Zoom had implemented the quick fix.
“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack,” he wrote.
Leitschuch added that he is publicizing the vulnerability because “this is essentially a Zero Day. Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard. As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service.”
A Zoom spokesperson told TechCrunch that “Zoom is working with a security researcher who raised concerns about video-on-by-default as a security vulnerability: Zoom by default turns on the video of a user when they join a meeting. This could, in theory, create the potential for a hacker to trick a target into joining a video meeting on camera. Of note, we have no indication that this has ever happened.”
In a longer statement, the company said that currently, “All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF. For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.”
It added that “As part of our July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”