A researcher has discovered a vulnerability in the Zoom video conferencing client for Macs that allows an attacker to force someone to join a call with video enabled, giving the attacker access to the victim’s webcam without permission.
Zoom has implemented a fix that prevents an attacker’s access to the webcam already, and users also can select a setting in the client that automatically turns video off whenever they join a new call.
The bug is the result of a confluence of a couple of features and design decisions. When the Zoom client is installed on a Mac, it automatically installs a small web server that is designed to respond to requests from the local machine. That server remains on the machine even if the Zoom client is uninstalled, and it can be used to reinstall the client automatically. Security researcher Jonathan Leitschuh, who discovered the bug, found that the server has an odd behavior that sends a small image file to the client when the user clicks on a link to join a meeting. The size of the image actually dictates a status code from the server.
“One question I asked is, why is this web server returning this data encoded in the dimensions of an image file? The reason is, it’s done to bypass Cross-Origin Resource Sharing (CORS). For very intentional reasons, the browser explicitly ignores any CORS policy for servers running on localhost,” Leitschuh wrote in his explanation of the vulnerability.
CORS is used to define which resources a web page can request from outside domains. AJAX requests are forbidden explicitly, and so to get around that prohibition and allow users to join a meeting without having to click on a dialog box confirming that they want to open the Zoom client, Zoom made a design decision to get around it.
“This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution,” Richard Farley of Zoom wrote in a post on the company’s response to the vulnerability.
“The short story is, an updated client and setting your web cam to not automatically start makes this ‘zero day’ go away.”
Leitschuh found that by embedding just one line of code into a website, he could force a victim on a Mac to join a meeting he had created. The other half of the equation is turning on the victim’s webcam. The default behavior when a host creates a new meeting is to allow the host to specify whether the other participants’ video is enabled when they join, so by selecting that option, Leitschuh could create a meeting that automatically added victims with their video enabled. However, if a user has disabled the setting in her client that starts video when joining a meeting, this method can’t override that setting.
Zoom implemented a fix that prevents an attacker from forcing the victim’s camera to turn on, but the attacker could still force a victim to join a call. Leitschuh said the code to do this could be used in any number of ways.
“This could be embedded in malicious ads, or it could be used as a part of a phishing campaign. If I were actually an attacker, I’d probably invest some time to also include the incrementing port logic that the code in the Javascript running on Zoom’s site,” he wrote.
In a statement Tuesday, Zoom officials said they're working on a method to allow people to delete the client and the web server.
"We do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client. The user needs to manually locate and delete those two apps for now. This was an honest oversight. As such, by this weekend we will introduce a new Uninstaller App for Mac to help the user easily delete both apps," Farley said.
To be clear, Zoom honors the user’s Meeting settings. If the user has checked the video OFF option in their user settings, this cannot be overridden by the host or any other participant.
Leitschuh also found a bug that allowed him to send Mac Zoom clients into an endless loop, but Zoom patched that flaw in version 4.4.2.
Tod Beardsley, research director at security firm Rapid7, said that much of the problem lies with the way that browsers handle CORS policies for localhost domains, and that the existence of simple mitigations for the Zoom issues reduces the actual threat for users.
“For starters, there's a (non-default) configuration setting that seems to totally mitigate this issue. At any rate, given the existence of this mitigation, the bug actually seems to be down in the browser, not the Zoom client, where CORS policies aren't enforced for localhost domains. This has been known for several years,” Beardsley said.
“The short story is, an updated client and setting your web cam to not automatically start makes this ‘zero day’ go away.”