Zoom released a patch this week to fix a security flaw in the Mac version of its desktop video chat app that could allow hackers to take control of a user’s webcam.
The vulnerability was discovered by security researcher Jonathan Leitschuh, who published information about it in a blog post Monday. The flaw potentially affected 750,000 companies and approximately 4 million individuals using Zoom, Leitschuh said.
Zoom said it’s seen “no indication” any users were affected. But concerns about the flaw and how it works raised questions about whether other similar apps could be equally vulnerable.
The flaw involves a feature in the Zoom app that lets users quickly join a video call with one click, thanks to a unique URL link that immediately launches the user into a video meeting. (The feature is designed to launch the app quickly and seamlessly for a better user experience.) Although Zoom gives users the option to keep their camera off before joining a call – and users can later turn the camera off in the app’s settings – the default is to have the camera on.
Leitschuh argued that the feature could be used for nefarious purposes. By directing a user to a site containing a quick-join link embedded and hidden in the site’s code, the Zoom app could be launched by an attacker, in the process switching the camera and/or microphone on without a user’s permission. That’s possible because Zoom also installs a web server when the desktop app is downloaded.
Once installed, the web server remains on the device – even after the Zoom app has been deleted.
After publication of Leitschuh’s post, Zoom downplayed concerns about the web server. On Tuesday, however, the company announced it would issue an emergency patch to remove the web server from Mac devices.
“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom CISO Richard Farley, said in a blog post. “But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”
Apple also released a “silent” update on Wednesday that ensures the web server is removed on all Mac devices, according to Techcrunch. That update would also help protect users who deleted the Zoom.
Enterprise customer concerns
There have been varying levels of concern about the severity of the vulnerability. According to Buzzfeed News, Leitschuh classified its seriousness at 8.5 out of 10; Zoom rated the flaw at 3.1 following its own review.
Irwin Lazar, vice president and service director at Nemertes Research, said the vulnerability itself should not be a major cause of concern for enterprises, as users would quickly notice the Zoom app being launched on their desktop.
“I don't think this is very significant,” he said. “The risk is that someone clicks on a link pretending to be for a meeting, then their Zoom client starts and connects them into the meeting.” If video has been configured as on by default, a user would be seen until they realized they had inadvertently joined a meeting. “They would notice the Zoom client activating, and they would immediately see that they have been joined into a meeting.
“At worst, they are on camera for a few seconds before they leave the meeting,” Lazar said.
While the vulnerability itself isn’t known to have created problems, the time taken by Zoom to respond to the issue is more of a concern, said Daniel Newman, Founding Partner/Principal Analyst at Futurum Research.
“There are two ways of looking at this,” Newman said. “As of [Wednesday], based upon the patch that was released [Tuesday], the vulnerability isn't that significant.
“However, what is significant for enterprise customers is how this issue dragged out for months without resolution, how the initial patches were able to be rolled back re-creating the vulnerability and now having to ask if this newest patch will indeed be a permanent solution,” Newman said.
Leitschuh said he first warned Zoom about the vulnerability in late March, a few weeks prior to the company’s IPO in April, and was initially informed that Zoom’s security engineer was “out of office.” A full fix was only put in place after the vulnerability was made public (though a temporary fix was rolled out before this week).
“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” he said. “An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.”
In a statement Wednesday, Zoom CEO Eric S Yuan said the company had “misjudged the situation and did not respond quickly enough – and that’s on us. We take full ownership and we’ve learned a great deal.
“What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.”
Other vendors, similar flaws?
It is possible that similar vulnerabilities could be present in other videoconferencing applications too, as vendors attempt to streamline the process of joining meetings.
“I haven't tested other vendors, but I wouldn't be surprised if they do [have similar features],” said Lazar. “Zoom competitors have been trying to match their fast start times and video-first experience, and most everyone now enables the ability to quickly join a meeting by clicking on a calendar link.”
Computerworld contacted other leading videoconferencing software vendors, including BlueJeans, Cisco and Microsoft, to ask whether their desktop apps also require the installation of a web server like the one from Zoom.
BlueJeans said its desktop app, which also uses a launcher service, cannot be activated by malicious websites and stressed in a blog post today that its app can be completely uninstalled – including the removal of the launcher service.
“The BlueJeans meeting platform is not vulnerable to either of these issues,” said Alagu Periyannan, the company's CTO and co-founder.
BlueJeans users can either join a video call via a web browser – which “leverages the browsers’ native permission flows” to join a meeting – or by using the desktop app.
“From the beginning our launcher service was implemented with security as top of mind,” Periyannan said in an emailed statement. “The launcher service ensures that only BlueJeans authorized websites (e.g. bluejeans.com) can launch the BlueJeans desktop app into a meeting. Unlike the issue referenced by [Leitschuh], malicious websites cannot launch the BlueJeans desktop app.
“As an ongoing effort we continue to evaluate browser-desktop interaction improvements (including the discussion raised in the article around CORS-RFC1918) to ensure we are offering the best possible solution for users," Periyannan said. “In addition, for any customers who are uncomfortable with using the launcher service, they can work with our support team to have the launcher disabled for the desktop app.”
A Cisco spokesperson said its Webex product does “not install or use a local web server, and it is not impacted by this vulnerability.”
Microsoft did not immediately respond to a request for comment.
Highlighting the danger of shadow IT
While the nature of the Zoom vulnerability attracted attention, for large organizations the security risks go deeper than one software vulnerability, said Newman. “I believe this is more of a SaaS and shadow IT problem than a video conferencing problem,” he said. “Of course, if any piece of networking equipment isn't properly set up and secured, vulnerabilities will be exposed. In some cases, even when set up correctly, software and firmware from the manufacturers can create issues that lead to vulnerabilities.”
Zoom has enjoyed significant success since its creation in 2011, with a range of large enterprise customers that includes Nasdaq, 21stCentury Fox and Delta. This has largely been because of word-of-mouth, “viral” adoption among employees, rather than top-down software rollouts often mandated by IT departments.
That manner of adoption – which drove the popularity of apps like Slack, Dropbox and others at large companies – can create challenges for IT teams that want tight control of software used by staff, said Newman. When apps aren't vetted by IT, this leads to “greater levels of risk.”
“Enterprise applications need to have a marriage of usability and security; this particular issue shows that Zoom has clearly focused more on the former than the latter,” he said.
“This is part of the reason I stay bullish on the likes of Webex Teams and Microsoft Teams,” Newman said. “Those applications tend to enter through IT and are vetted by the appropriate parties. Furthermore, those companies have a deep bench of security engineers that are focused on application safety.”
He noted Zoom's initial response – that its "Security Engineer was out of the office" and unable to reply for several days. “It's hard to imagine a similar response being tolerated at MSFT or [Cisco].”