It took over 90 days for Zoom to finally patch a zero day that they were alerted to as early as March 8. The vulnerability was detailed in a Medium post written by Jonathan Lietschuh. Here’s the tl;dr of Jonathan’s post:
- The vulnerability allows hackers to force you into a call, DoS your Mac with repeated calls, reinstall the app on your computer, and take over your Mac’s camera.
- This is made possible because hackers can take advantage of a server that is surreptitiously included when you install Zoom.
- This server works as a background process and can be accessed even if the desktop app is closed or uninstalled. With a tailored GET request, Jonathan was able to initiate a Zoom meeting.
- Thanks to poor design, the cameras of participants are on by default. So, in one fell swoop, a hacker can initiate a call and access a user’s camera.
- An experienced hacker can use phishing attacks or iframes to get you to inititiate a request to the web server without your knowledge. They could then send repeated GET requests to your server to DoS your Mack, or they could reinstall the Zoom app to continue attacks.
One would think that the above information would be enough to spur a move towards patching the vulnerability. However, Zoom fell into the trap of favoring a feature over usability. They only performed quick fixes suggested by Jonathan and avoided doing away with the web server. It was only after Jonathan’s public disclosure went viral that Zoom finally realized its mistake. The company released a statement saying, “Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. ” The quote exposes the resistance the company had towards modifying their “seam-less join” feature. It would be nice to say that this event should serve a lesson to product teams that a feature is only as good as the security it provides to its users, but tight deadlines and tight budgets discourage the use of pen-testing.
Now, the best way to protect yourself from this vulnerability is to access your Zoom app and update it; the new patch removes the web server entirely. If you’re feeling a bit paranoid, you can run
pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus; to remove the web server from your computer.