Zoom has slow-walked a fix for a bug that allows randos to take over your Mac's camera

Zoom is an incredibly popular videoconferencing tool. In late March, security researcher Jonathan Leitschuh notified the company that its Mac software contained a ghastly vulnerability that allowed attackers to take over your camera after tricking you into clicking a malicious link. Leitschuh gave Zoom 90 days to fix the bug before going public (a common courtesy extended by security researchers when they discover dangerous bugs) then watched in dismay as the company slow-walked a response, so that when the deadline rolled around, the vulnerability was still in place.

To make things worse, Zoom's installer silently installs an insecure web-server as part of its package — a server whose defects leave Mac users vulnerable to denial of service attacks — and then doesn't uninstall the server when you remove the software, leaving former Zoom users vulnerable until they undertake an elaborate and complex uninstall process.

Zoom defended its partial response to the vulnerability, saying that leaving the vulnerability in place preserves its convenient "one-click to join" function, calling this its "key product differentiator." It says that if users want to choose a higher level of security, they can manually reconfigure Zoom to turn off their camera until they turn it on.

Zoom has made some back-end tweaks to make this attack harder to execute, but Leitschuh describes ways that these can be trivially bypassed. Leitschuh estimates that about 4 million systems are vulnerable.

I am a regular Zoom user and I'm aghast at this behavior, which, per Leitschuh's description, was a shitshow from start to finish. From the company's failure to even respond to Leitschuh's original messages to lack of seriousness they've displayed when it comes to mitigating the defect, to the incredibly poor choice to install a secret webserver on its customers' computers, to the even worse form in creating an uninstaller that leaves that webserver in place and running in the background after their software is removed, this entire episode inspires great distrust for the company.

Normally, I connect to Zoom meetings with its Android software. After this incident, I've removed the Zoom app from my phone and I'll be dialing into meetings using a phone number in future.

If you want to experience the bug in action visit this link and you'll find yourself joined to a video-chat with a bunch of freaked out randos who are learning that Zoom does not care about their privacy or security.

I commented that allowing a host to choose whether or not a participant will automatically join with video should be considered it's own standalone security vulnerability.

To this advisement, I received the following response:

Zoom believes in giving our customers the power to choose how they want to Zoom. This includes whether they want a seamless experience in joining a meeting with microphone and video automatically enabled, or if they want to manually enable these input devices after joining a meeting. Such configuration options are available in the Zoom Meeting client audio and video settings.

However, we also recognize the desire by some customers to have a confirmation dialog before joining a meeting. Based on your recommendations and feature requests from other customers, the Zoomteam [sic] is evaluating options for such a feature, as well as additional account level controls over user input device settings. We will be sure to keep you informed of our plans in this regard.

When responding to responsible disclosure, don't go into PR spin mode. It's counterproductive.

It's important to note that the default configuration for Zoom is to allow a host to choose whether or not your camera is enabled or not by default.

Zoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the user's video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site.

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! [Jonathan Leitschuh/Medium]