On Monday, security researcher Jonathan Leitschuh publicly disclosed a serious zero-day vulnerability in conferencing software Zoom—which apparently achieves its click-to-join feature, which allows users to go directly to a video meeting from a browser link, on Mac computers by installing a local web server running as a background process that “accepts requests regular browsers wouldn’t,” per the Verge. As a result, Zoom could be hijacked by any website to force a Mac user to join a call without their permission, and with webcams activated unless a specific setting was enabled.
Worse, Leitschuh wrote that the local web server persists even if Zoom is uninstalled and is capable of reinstalling the app on its own, and that when he contacted the company they did little to resolve the issues.
In a Medium post on Monday, Leitschuh provided a demo in the form of a link that, when clicked, took Mac users who have ever installed the app to a conference room with their video cameras activated (it’s here, if you must try yourself). Leitschuh noted that the code to do this can be embedded in any website as well as “in malicious ads, or it could be used as a part of a phishing campaign.” Additionally, Leitschuh wrote that even if users uninstall Zoom, the insecure local web server persists and “will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”
This implementation leaves open other nefarious ways to abuse the local web server, per the Verge:
Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Leitschuh writes.
According to Leitschuh, he contacted Zoom on March 26, saying he would disclose the exploit in 90 days. Zoom did issue a “quick fix” patch that only disabled “a meeting creator’s ability to automatically enable a participants video by default,” he added, though this was far from a complete solution (and did nothing to negate the “ability for an attacker to forcibly join to a call anyone visiting a malicious site”) and only came in mid-June.
On July 7, he wrote, a “regression in the fix” caused it to no longer work, and though Zoom issued another patch on Sunday, he was able to create a workaround.