Popular video conferencing service has major flaw that affects Apple users

Image credit: Shutterstock (Image credit: Image Credit: Leolintang / Shutterstock)

Update: The patch from Zoom we talked about in our original story has now been released. The company wrote on its blog: “The July 9 patch to the Zoom app on Mac devices detailed below is now live. You may see a pop-up in Zoom to update your client, download it at zoom.us/download, or check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.”

The original story follows below...

There’s a worrying zero-day vulnerability which has been reported as affecting the Zoom videoconferencing app for the Mac. It can be abused to activate the user’s webcam and force them to join a conference call against their will – apparently even if they’ve previously uninstalled the Zoom software from their computer.

As Jonathan Leitschuh of Medium.com writes, there are over four million Zoom users on the Mac, all of whom could be potentially affected by this issue.

What’s happening here is that if a user can be tricked into clicking on a malicious Zoom meeting link in their browser, they will be forcibly joined to the attacker’s conference call – with their video camera activated.

And obviously, a malicious party being able to see you through your webcam is a worrying prospect.

Moreover, as mentioned, if you previously ran the Zoom software and uninstalled it from your Mac, because the client leaves a localhost web server on your machine – needed for certain functionality in the app when it’s running with the Safari browser – Leitschuh observes that this will reinstall Zoom of its own accord when such a malicious link is clicked.

Therefore you can still fall prey to this sting even if you’ve got rid of Zoom from your Mac.

Leitschuh provides a detailed timeline of his disclosure to Zoom, and notes that despite a ‘quick fix’ being implemented, when the time for public disclosure (90-day deadline) rolled around yesterday, there was still an issue here.

Leitschuh writes: “Zoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the user’s video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site.”

Control over video settings

Zoom has responded to clarify that a malicious party can’t override a user’s video settings to turn their Mac webcam on – which is to say that if the user has configured the Zoom client to disable their video feed upon joining a meeting, the attacker can’t workaround that to see their video.

But of course, not everyone will have selected to turn off video when joining a meeting.

At any rate, Zoom’s proposed solution is as follows: “In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings.

“Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”

So to say safe from this potential vulnerability, you do need to ensure that your video settings are configured thusly. Zoom further observes that it has no evidence that this exploit has ever actually been exercised in the wild.

Leitschuh also outlined a potential method whereby this vulnerability could be used to execute a denial of service (DoS) attack on a Mac user, overloading the target machine with an endless loop of meeting invitations, but Zoom states that it released a fix for this back in May (and that it was a low-risk affair, with no indication that this tactic had ever been abused).

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).