Security Vulnerability Exposed in Zoom Video Conferencing Software on macOS
A critical security vulnerability affecting Zoom’s video conferencing software has come to light, raising significant privacy concerns for users operating on Mac computers. Reports indicate that any website accessed through the browser has the potential to activate a user’s webcam without explicit consent. This alarming loophole could allow malicious actors to invade users’ privacy remotely.
The vulnerability, noted as CVE-2019-13450, was disclosed by cybersecurity researcher Jonathan Leitschuh in a recent Medium post. Despite responsibly notifying Zoom about this issue more than 90 days ago, the company has yet to deploy a comprehensive security patch. This oversight places the privacy and security of over four million Apple users at considerable risk.
Zoom has established itself as a widely-used cloud-based platform for video and audio conferencing, facilitating webinars, online training, and virtual meetings. However, the convenience of its click-to-join feature—which automatically launches the Zoom app when a meeting link is clicked—has inadvertently introduced significant risks. Leitschuh discovered that the software runs a local web server, vulnerable to outside commands via HTTPS GET parameters. Consequently, any website visited by users could exploit this mechanism.
To execute the exploit, an attacker would need to create an invite link through their Zoom account and embed it on a third-party site. By enticing users to visit this site, they can trigger the Zoom application, resulting in the unauthorized activation of the webcam. This method opens the door to malicious activities that could compromise user safety.
Leitschuh indicated that merely uninstalling the Zoom client does not mitigate the risk, as the software instances could be reinstalled without user consent due to the flawed click-to-join feature. He noted that the vulnerability not only allows for unauthorized webcam access but could also facilitate denial-of-service attacks on the targeted computers through excessive GET requests sent to the vulnerable local server.
Although Zoom has implemented a partial remedy to prevent attackers from activating user webcams, concerns remain. The platform has not addressed the fundamental issue of unauthorized meeting join functionality, allowing attackers to create a more intrusive experience for users visiting malevolent websites.
The reported vulnerability affects the latest version of Zoom app for Mac. In addition to alerting Zoom, Leitschuh also notified teams at Chromium and Mozilla; however, the nature of the flaw lies within the Zoom application itself, limiting what these web browser developers can do.
For users seeking to enhance their security, disabling the feature that automatically enables the webcam when joining meetings is advisable. This can be accomplished through the Zoom settings. Moreover, users are encouraged to execute specific Terminal commands to ensure the local web server is entirely uninstalled, thus reducing exposure to potential exploitation.
Following the exposure of this vulnerability, Zoom issued a statement acknowledging the issue while emphasizing that users would notice if they unintentionally joined a meeting. They maintained that no current evidence suggests that the vulnerability has been exploited to compromise user privacy.
This incident underscores the need for organizations, particularly those utilizing digital communication platforms, to remain vigilant regarding security vulnerabilities. The tactics displayed in this case align with the MITRE ATT&CK framework’s categories of initial access and persistence, demonstrating the necessity for businesses to adopt proactive security measures in order to prevent similar intrusions in the future.