July 9, 2019 | 09:56
Zoom, a popular video conferencing platform, has been accused of ignoring the warnings of a security researcher and leaving a serious security vulnerability on macOS systems - even when its client software has been uninstalled.
Founded in 2011 by Eric Yuan, formerly of Cisco Systems and its WebEx collaboration and video conference subsidiary, Zoom Video Communications boasts around 1,300 employees and a near-$16 billion valuation following an initial public offering (IPO) on the Nasdaq exchange in March this year. Its popular software, however, contains a serious security flaw which could allow remote attackers to activate a webcam without the user's permission - and the researcher who discovered it says the company isn't taking the issue, still unpatched, seriously.
Researcher Jonathan Leitschuh contacted Zoom in March regarding two security vulnerabilities: A denial-of-service vulnerability and an information disclosure vulnerability which allowed websites to activate the webcam and join the user to a Zoom video conference without their permission. The latter is the most serious issue, naturally, but comes with a worrying twist: It remains active on the system even if the Zoom client software is uninstalled.
'If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage,' Leitschuh explains in his public disclosure notice. 'This re-install "feature" continues to work to this day.
'This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a "quick fix" Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the "quick fix" solution originally suggested.'
'Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,' Leitschuh claims. 'An organisation of this profile and with such a large user base should have been more proactive in protecting their users from attack.'
More worryingly, the quick-fix turned out to be ineffective: 'Zoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the user’s video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site,' Leitschuh explains, followed by an update warning: 'There has been a regression in the fix implemented by Zoom thus allowing this vulnerability to be exploited with the video camera activated.'
Zoom, for its part, downplays the severity of the flaw, and claims that a pending update will allow users to default their webcam to off - but doesn't deny that they will still be able to be forcibly joined to a meeting simply by visiting a malicious website. The company also states that it has no intention of changing the behaviour of the hidden web server, which remains active even when the client software is uninstalled, stating that 'We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless,one-click-to-join meetings, which is our key product differentiator.'
August 14 2020 | 10:22