Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. Thats possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldnt. In fact, if you uninstall Zoom that web server persists and can reinstall Zoom without your intervention.
Using Leitschuhs demo, we have confirmed that the vulnerability works — clicking a link if you have previously installed the Zoom app (and havent checked a certain checkbox in settings) auto joins you to a conference call with your camera on. Others on Twitter are reporting the same:
Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuhs account, Zoom doesnt appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since its not an issue with their browsers, theres not much those developers can do.
Turning on your camera is bad enough, but the existence of the web server on their computers could open up more significant problems for Mac users. For example, in an older version of Zoom (since patched), it was possible to enact a denial of service attack on Macs by constantly pinging the web server: “By simply sending repeated GET requests for a bad number, Zoom app would constantly request focus from the OS,” Leitschuh writes.
You can “patch” this issue yourself by ensuring the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting, illustrated below. Again, simply uninstalling Zoom wont fix this problem, as that web server persists on your Mac. Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post.