Zoom, a company that sells video conferencing software for the business market, is tweaking the app to fix a vulnerability in its software that allows malicious websites to force users into a Zoom call with the webcam turned on.
The flaw was discovered by security researcher Jonathan Leitschuh, who documented it in a blog post on Monday.
He said that initially, the vulnerability would have also allowed any webpage to inflict a denial of service (DoS) attack on a Mac by repeatedly forcing a user onto an invalid call. But that DoS vulnerability – CVE-2019-13449 – was fixed in version 4.4.2 of the macOS client.
In discussions with the Zoom team over the past few weeks, Leitschuh said that Zoom had proposed a fix to the hijacking vulnerability: namely, digitally signing requests from websites that are made to the client.
But the researcher said that wouldn’t have solved the problem, given that an attacker would be able to set up a server to make requests to the Zoom site in order to acquire a valid digital signature before contacting the client.
Note. The original version of this article stated that this flaw was specific to Zoom on the Mac, but Jonathan Leitschuh has confirmed in a tweet that this issue can affect Windows users too. See below for how to prevent Zoom turning on your camera by default when you join a meeting. [Updated 2019-07-09T18:20Z]
There was another problem the researcher found: when setting up a meeting, you can enable the video setting to “Participants: On” for all those who join a meeting. That removes a participant’s choice of whether or not to have their video connected and instead automatically joins them to a meeting with their video on.
Because the Zoom client runs in the background, an attacker could embed a Zoom join link in their website, causing any Zoom user to be instantly connected, with their video feed turned on, even if they aren’t running the Zoom software in the foreground.
Zoom sent a statement to multiple publications in which it said that it developed the local web server in response to changes that Apple introduced in Safari 12.
It did so in order to save the user some clicks in what had become a cumbersome log-in, it said:
[Running a local server in the background was a] legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.
Starting this month, Zoom will save users’ and administrators’ preferences for whether video will be turned on or not. On all of its platforms, it will save the user’s choice on whether or not to turn off video in their first call and will apply that choice to future meetings.
From Zoom’s statement:
All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF.
For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.
What to do?
Fortunately there’s something you can do to mitigate against the issue:
- Launch the Zoom app.
- Open the Settings page (on a Mac, use Preferences or press Command-Comma).
- Click the Video option.
- Enable the setting Turn off my video when joining a meeting.
On a Mac, you can easily block Zoom’s access to your camera altogether, via the System Preferences settings:
- Click on the Apple menu (top left corner of your screen).
- Choose System Preferences…
- Click the Security & Privacy icon.
- Click the Camera option.
- Review which apps have access to your camera.
(To alter the setting for any app, you will first need to click on the padlock icon and enter your password to authorise the changes. That’s a precaution to prevent ill-behaved or buggy apps simply changing the setting back.)