Updated Zoom Video Communications, whose web conferencing service is used by millions, is under fire for installing a hidden web server on Macs in order to bypass user consent when joining a meeting.
Researcher Jonathan Leitschuh, a member of the security team at Gradle Inc, investigated how the Zoom client opens automatically when you receive a meeting link.
Leitschuh discovered that when you install Zoom on a Mac, it installs a web server on port 19421. If you then click on a Zoom conferencing link, the page loads an image from the web server on localhost, where the size of the image returned represents a status code – a hack to get around CORS (Cross-Origin Resource Sharing) restrictions which apply to Ajax requests.
The result is that you can get a user to join a Zoom call simply by embedding a Zoom link into a website, for example, by using an iframe (inline frame). The user sees an ordinary web page URL but the iframe loads the Zoom link automatically.
The default Zoom configuration leaves it to the host to determine whether or not the camera is automatically enabled. Therefore, an attacker can view the user's webcam simply by persuading them to visit the attacker's site.
As Leitschuh observes, the consequences could be more serious if there are other exploitable vulnerabilities in the Zoom client – such as the "Zoom Unauthorized Command Execution" bug – which Tenable reported in November 2018 but is now fixed.
Just to save a click?
Leitschuh reported the problem to Zoom, along with a related denial-of-service vulnerability. He was offered a financial bounty, which he declined, because it was conditional on never publicly disclosing the bugs.
Zoom responded by changing the host's ability to choose whether the camera is enabled – but the fix regressed and Leitschuh also found that the iframe workaround mentioned above bypassed it.
There are further concerns. One is that even if you uninstall Zoom on the Mac, it leaves the Zoom web server in place. The web server has the ability to reinstall the Zoom client, rendering the uninstall attempt ineffective. This ability is also a security incident waiting to happen, since if an attacker managed to gain control of one of the allowed domains for downloading the client, it could install some other executable.
"To shut down the web server, run
lsof -i :19421 to get the PID of the process, then do
kill -9 [process number]. Then you can delete the
~/.zoomus directory to remove the web server application files," Leitschuh explained.
Zoom has made two statements about the matter. In a blog post, Richard Farley, Zoom's chief information security officer, said that Zoom users can set a preference for video on or off when joining a meeting. "The host or any other participant cannot override a user's video and audio settings to, for example, turn their camera on."
This is not inconsistent with what Leitschuh claims. The host does determine whether or not the participant's camera is on, but this is subject to the user's preferences. As ever, the majority of users accept the defaults, so if the default is ON then video will be on. A clean install of Zoom will indeed have this setting, though it is reversed, which means you have to check "Turn off my video when joining meeting" to avoid it.
This setting, which defaults to ON, controls whether a Zoom meeting has video automatically enabled
Further, Farley justifies installing the web server even though this is specifically to bypass a security feature introduced by Apple in Safari 12, writing:
When Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
The company also issued a public statement (PDF) with a similar claim that installing a local web server is a reasonable workaround "to avoid this extra click before joining a meeting". The statement adds that a July update will add a feature to "apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings".
This does not sound like a full solution.
What about Windows users? No hidden web server perhaps; but that is because on Windows the "extra click" is not needed. The meeting opens automatically, with video (tested in Firefox, Chrome and Edge), provided the browser has set the association with
.zoommtg links – a once-only operation. Depending on preferences, you might also get a conference options prompt in front of the meeting, but you have already joined. Whether browsers should allow this without a further prompt is a moot point, and one which Apple attempted to fix in Safari.
If you do not like this behaviour, remove the association with
.zoommtg in your browser. For example, here is the setting in Firefox:
The Mac web server running on localhost is an extra security risk, though, especially as it has an unpublished API. An attacker could have an IMG tag on a page, for example, set to a
src=URL on your Zoom web server. It is hard to understand how Zoom's security officer can justify risks like these in the name of avoiding "poor user experience". On the other hand, this does demonstrate the lengths to which a company will go to achieve a slight advantage in ease of use, never mind the consequences.
Security-conscious Mac users may want to remove all traces of Zoom at least until the risks are better understood. Tape over the camera? Maybe. ®
Updated to add
Amid a surge of online outcry today, Zoom's blog post about the webcam vulnerability has been updated repeatedly to eventually confirm that a security patch is being pushed out now to Mac users. It should be installed as soon as you can, or you may install it manually from here.
This July 9 release will "remove the local web server entirely, once the Zoom client has been updated," and "allow users to manually uninstall Zoom." That's good news as it kills off the undocumented web service, and allows you to boot the whole thing off your Mac completely for good.
Another patch is due to land on July 12 that will ensure "first-time users who select the 'Always turn off my video' box will automatically have their video preference saved," and "returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings."
It is hoped this will address concerns over the software's video-on-by-default nature: basically, you should be able to tell the program to not open up the video as soon as you click on or trigger a Zoom link, regardless of the host's call settings.