MacWorld: Zoom Mac app flaw sparks serious security concerns
Posted on July 9th, 2019
Do not adjust your screen. The logo above is displayed upside down as a comment on Zoom.
Zoom Video Communications (NASDAQ ZM) is a provider of video conferencing and IP phone services. Zoom Meeting Client apps have found their way onto Macs and PCs that have also become infected by malware. Many users of malware infected computers have become targets of brazen attacks by teams of highly motivated cybercriminals operating from outside the U.S. in regions where their chances of being caught by law enforcement are slim to nil.
It’s not that Zoom Video Communications is directly responsible for these swindles. But their widely distributed Zoom Meeting Client app has been hacked by cybercriminals and Zoom can’t seem to stop it. Unsuspecting computer users install hacked versions of the app and they become easy-to-spot online targets for myriad scams and some truly frightening encounters with cybercriminals.
One common example is a remote tech support scheme where users are tricked into taking calls from — or making calls to — criminal gangs claiming to be genuine security personnel from Microsoft or Apple. Under that pretext, these gangs take control of the user’s computer remotely and plunder it for account IDs, passwords and any information that can be used in identity theft, bank and credit card fraud, ransom attacks and more. Victims of these attacks describe them as hair-raising, even harrowing.
Zoom Video Communications could claim to be victim of cybercriminals too. But the following MacWorld piece strongly suggests that Zoom’s cavalier attitude toward users is Facebook-like. That is, if users are victimized it’s their own fault, not Zoom’s.
Zoom’s response when caught? Make a sincere-sounding but intentionally meaningless apology. Move on. Repeat.
Websites could access your Mac’s camera without permission.
MacWorld Staff Writer, Michael Simon, Jul 09, 2019
If you’ve ever downloaded the Zoom app to participate in a video conference, your Mac may be at risk—even if you’ve already deleted it. In a Medium post, security researcher Jonathan Leitschuh discovered a serious flaw that could allow a website to access your Mac’s camera without your knowledge or permission.
Update 7/11: Apple has issued a silent update to macOS that removes the Zoom Mac app's localhost server.
As Leitschuh explains, the vulnerability stems from Zoom’s quest for simplicity. As the service works, you can just send anyone a Zoom meeting link which will in turn automatically open the Zoom client installed on their machine. In case you’ve deleted the app, Zoom keeps a localhost web server running silently on your Mac, Leitschuh said, so the Zoom client will reinstall when a link is clicked without requiring any user interaction on your behalf besides visiting a webpage.
That raises a whole lot of red flags. But even beyond the practice of surreptitiously running a localhost web server on hundreds of thousands of Macs around the world, Leitschuh unearthed a vulnerability that "allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission … and would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call."
Leitschuh says Zoom dragged its feet on disclosing the vulnerability after being contacted in March, having only implemented a "quick fix" in late June. However, after he published the Medium post Monday, the company responded with a workaround rather than a true fix: "In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms."
You'll need to check this box to shut down the ability for websites to access your camera.
Zoom explains that changes implemented by Apple in Safari 12 that "requires a user to confirm that they want to start the Zoom client prior to joining every meeting." In order to save users an extra click, Zoom installed the localhost web server as "a legitimate solution to a poor user experience problem."
Zoom also claims that it has no evidence of a Mac being subjected to a DOS attack, which it describes as a "empirically a low risk vulnerability." It also announced it will be implementing a public vulnerability disclosure program within the next several weeks.
However, Zoom is putting the onus on users to protect their Mac’s camera against hijacking. The latest update to the app doesn’t fix the flaw or remove the localhost server, but it does save the user’s desired camera settings. So to remove the risk of a website accessing your camera, you need to go into the Zoom app settings and select the "Turn off my video when joining a meeting" option. That’s hardly reassuring, and Zoom hasn’t given any indication that it will be properly fixing the problem in a future update or even keeping the camera off by default.
Disable the Zoom localhost web server
If you want to permanently disable the localhost web server from running on your Mac, you'll need to take a visit to the Terminal and type the following:
pkill ZoomOpener;rm -rf ~/.zoomus;touch ~/.zoomus &&chmod 000 ~/.zoomus;
pkill "RingCentralOpener";rm -rf ~/.ringcentralopener;touch ~/.ringcentralopener &&chmod 000 ~/.ringcentralopener;#
Michael Simon covers all things mobile for PCWorld and Macworld. You can usually find him with his nose buried in a screen. The best way to yell at him is on Twitter.