Zoom aims to make it as easy as possible to add users to a video conference. One of its selling points is that users can join a video conference session by clicking on a link. However, the way in which this was achieved posed some security risks.
Researcher Jonathan Leitschuh found that the Mac version of the app installs a web server on the local machine. The web server left the user's computer open to certain attacks.
For example, an attacker could send a target a link to a maliciously crafted website that would join the user to the Zoom call with their webcam activated. A malicious page could also effectively carry out a denial of service attack on the Mac by repeatedly forcing the user to join an invalid call.
Another issue noted by Leitschuh is that even after the Zoom client is installed, the local web server remains and can be tricked to reinstall the Zoom client by visiting a malicious webpage.
The Windows version of the software is not vulnerable.
The first flaw which could force users into a conference call with the webcam activated did not affect any use that manually changed a setting that turned video off when they joined a meeting.
An update has been pushed out by Zoom that ensures video is turned off on joining a meeting by default. Zoom also disputed the scale of Leitschuh's claims.
The developer also said that there was no evidence of the flaw being exploited in the wild, and that had users been targeted in this way it would have been very clear they had unintentionally joined a video conference, as the software is forced to the foreground.
Written by: James Delahunty @ 9 Jul 2019 11:36