A Zero Day vulnerability in the Mac Zoom Client allows any malicious website to enable the machine’s camera without the user’s permission, potentially impacting the 700,000+ companies worldwide using Zoom for video conferencing each day, security researcher Jonathan Leitschuh disclosed in a post on Medium this week.
The vulnerability leverages Zoom’s feature of allowing users to share a link that permits anyone to easily join a meeting. If you have ever installed Zoom on a Mac, the app installs a local web server, to get around changes introduced in Safari 12. You can check this on your Mac by running lsof -i :19421 in your terminal, Leitschuh found.
Leitschuh said he was able to exploit the vulnerability to create a URL that could drop users into a call and force video and audio on without their permission.
In a statement to ZDNet, Zoom said it believed that running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
Meanwhile, Leitschuh wrote in his post that he doesn’t feel Zoom has done enough to mitigate the vulnerability after it was disclosed to them. “Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” he wrote. “An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.”
Malicious actors can still use the exploit to launch someone into a call without their permission today, Leitschuh wrote.
How to patch the Zoom vulnerability
To patch the Zoom vulnerability, users can do the following, according to Leitschuh:
- Disable the ability for Zoom to turn on your webcam when joining a meeting (Under Settings —> Video —> Meetings, check “Turn off my video when joining a meeting”).
- To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files.
To prevent the local server from being restored after updates, execute the following in your terminal:
If you are looking for managed IT services in Toronto, GTA or across Ontario, feel free to call us and book an on-site consultation, it is free!