Zero-Day Vulnerability in Zoom Could Allow Webcam Takeovers On Mac

Another security risk targeting Zoom customers has come into the limelight after December 2018. This time, the flaw exists in the Zoom video conferencing software that specifically threatens Mac users. As reported, this zero-day Zoom vulnerability can let an attacker take over users’ webcam upon an exploit.

Zero-Day Zoom Vulnerability Threatening Mac Users

Researcher Jonathan Leitschuh discovered a serious security flaw in the Zoom video conferencing software. He has specifically found a zero-day zoom vulnerability that can allow an attacker to target Mac users by taking over webcams. He has described his findings in detail in a blog post.

As elaborated, the Zoom video conferencing software for Mac can allow an attacker to control the webcam of a user via a malicious invite URL. A potential attacker can send the URL to any Mac user via any means. When the recipient opens the URL in the browser, the Zoom client opens up on the device.

This way, the attacker can exploit the vulnerability by forcibly joining a Zoom call. As stated by the researcher,

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

Even if the user has uninstalled the Zoom app, the attack can still happen due to the presence of a local web server that continues to run even after uninstalling the app. This web server reinstalls the Zoom client when triggered without user interaction or permission.

Thus, an attacker can exploit this feature for any malicious activity.

This could be embedded in malicious ads, or it could be used as a part of a phishing campaign.

Moreover, an attacker can also exploit this flaw to create a denial-of-service state on the target system.

No Patch Yet – Workaround Available

Upon finding the vulnerability, the researcher contacted Zoom officials to inform them about it. Yet, it took quite a while to reach a fix, as evident from the timeline shared by the researcher. He contacted Zoom officials on March 26, 2019. Yet, it took the firm all the while until July 8, 2019, to present a ‘working’ workaround. Zoom simply opted for a ‘quick fix’ that requires a digital signature.

This new signature or token is embedded in a new parameter called confid.

Yet, it still remains possible to bypass this ‘fix’. Thus, the simple solution to avoid this vulnerability, as recommended by the researcher, is to disable the video feature entirely when joining a call.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients