A flaw in the Mac version of Zoom Video Communications’ software could allow any website to bring users onto a Zoom conference call and potentially see their video feed, according to a software engineer who discovered the vulnerability and blogged about it on Medium.
In a post published July 7, security researcher Jonathan Leitschuh said he first contacted Zoom in March about this and other potential security issues for Mac users, including the installation of a Zoom web server that won’t automatically delete when the Zoom app is deleted.
Zoom addressed the findings on its company blog, admitting that “if the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed.” But the company, which has about 58,500 business customers with more than 10 employees, sought to tamp down users’ concerns, saying:
Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened. [emphasis theirs]
All first-time Zoom users, upon joining their first meeting, are asked whether they would like their video to be turned off when they join their first meeting. For subsequent meetings, users would need to adjust their settings to keep their video off. Zoom says its upcoming July 2019 release will save users’ video preferences from their first meeting to all future meetings. As before, if the camera is off, the host or any other participant could not override that setting.
Until the update is available, Leitschuh recommends that users themselves go into their video settings and select “turn off my video when joining a meeting.”
Zoom also responded to Leitschuh’s other main concerns, including the limited-functionality web server that gets installed when Zoom is installed on a Mac device, as well as the potential for hackers to launch denial of service (DOS) attacks, where a hacker could essentially lock up a Mac device that already has Zoom installed on it by sending the machine an endless loop of requests to join a meeting.
The web server “is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting,” Zoom said in its initial response. “The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.” Update: Later today Zoom said it would stop the use of a local web server on Mac devices and allow users to manually delete both the Zoom client and server, with a patch that would be made available by midnight Pacific time. For more details, click here.
Jonathan Tock, director of security operations at SpearTip, a cybersecurity advisory firm, says any fix that affects the user experience would be especially risky for Zoom, which has staked its business on the idea of frictionless communication. “’One-click-to-join’ meetings is one of their trademark things that they do, and they do that very well,” Tock says.
As for the possibility of a DOS attack, Zoom says it has “no indication that this ever happened.” It released a fix in May, but some users may not have updated their software, as they weren’t forced to install the patch.
The disclosure of the security flaws didn’t have much impact on Zoom’s stock price, which dipped 78 cents to $89.98 in midday US trading. The shares are still more than double their initial public offering price from April.