Any Mac with the Zoom teleconferencing app can be spied on right now. Yep, it's a bad day for Apple security, as malicious websites can be coded to remotely start a video conference call on your Mac — and the attack can even be sent over email.
The good news? Zoom promises that a fix is on the way.
This news, disclosed by security researcher Jonathan Leitschuh, shows that even Macs that don't have Zoom installed anymore — but once did — are vulnerable. The good news, though, is that there are solutions (one is seriously difficult, though), and Zoom seems to be fixing it all soon.
What to do now:
The fix, thanks to Zoom changing its stance, appears to be as simple as accepting Zoom updates as they arrive. In an update to Zoom's big blog post about the flaw, the company stated a patch coming tonight (July 9) at or before 3 a.m. EST/midnight PST will solve things. Users will be prompted to update the app and that once the update is finished, "the local web server will be completely removed on that device."
The update will also supposedly improve the uninstall procedure. Zoom's post states "We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server."
We look forward to seeing if Jonathan Leitschuh and other security researchers think Zoom's doing a thorough and proper job.
To safeguard your Mac until that update, open Settings for Zoom — click Zoom in the menu bar, then click Settings — and open the Video section. Then check the box next to "Turn off my video when joining a meeting."
In his post (opens in new tab), Leitschuh also shared code for use in the Terminal. Those instructions get a bit complicated and are best for the super-tech savvy users who would prefer it. Those tips are made to eradicate the web server that Zoom creates on the Mac.
How it works
Yes, this is all possible because Zoom secretly installs a web server on Macs, one that receives — and accepts — requests that your web browsers wouldn’t. Leitschuh explained that he tried to work with Zoom, reaching out to the company this past March, but that its "solutions were not enough to fully protect their users."
Also, as I mentioned earlier, even those users who have uninstalled Zoom from their Macs are vulnerable. Leitschuh explains that the web server installed by Zoom stays behind even after you remove the program, and that the server can be remotely triggered to update and automatically install the latest version of Zoom.
Oh, and a victim doesn't even need to even be tricked into opening a web page. First off, Vimeo user 'fun jon' (opens in new tab) posted video evidence that you can attack this flaw via email, and the target doesn't even need to open the message. They just need to be using an email client app that downloads the maliciously coded message.
After Leitschuh argued with Zoom, alleging telling the company that "allowing a host to choose whether or not a participant will automatically join with video" is a "standalone security vulnerability," the company disagreed, positioning its decision as pro-user: "Zoom believes in giving our customers the power to choose how they want to Zoom."
Zoom also released a blog post arguing its side of the story. It admits no fault or wrongdoing.
Want to see it for yourself?
If you've ever had Zoom on your machine, you can see this for yourself. Just search Leitschuh's blog post for the phrase "zoom_vulnerability_poc/" — as that's the link to his proof of concept, which launches a Zoom call. The first is an audio-only version; the second link, which includes 'iframe' in the URL, starts a call with video active.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQafJuly 9, 2019