If you are using a Mac computer and you have Zoom software installed in it, you might want to remove it as soon as possible.
Zoom, a video conferencing software that powers RingCentral’s video conferencing feature, has compromised the security of their users when an unpatched zero-day vulnerability that enables hackers to send a client call link that when opened, would automatically turn on your webcam.
The worse part about vulnerability is that you cannot even turn it off.
Zoom is a famous video call and conferencing software that uses VoIP technology to send signals and allow users to connect through a client link. When two computers open a client link, two (or more) people will be able to engage in a video call remotely.
However, software engineer Jonathan Leitschuh uncovered a significant security flaw in the Mac client for Zoom. It turns out that this implementation isn’t secure since an attacker could create a link that would automatically join users to a call and turn your video camera on without you noticing. Users will only be made aware that their camera is on after seeing the LED indicator light (which has no option to be turned off as a functionality) lit.
The bigger problem comes from the fact that once an attack is made, the problem will continue to annoy even after uninstalling the software from your Mac computers. This is possible since the designers of the software deliberately included a hidden web server on your Mac that would reinstall Zoom’s client automatically after clicking the link.
Previously, the company behind Zoom defended the value of a hidden web server but eventually retracted and released an update, version 4.4.4 (53932.0709), that removes the unknown web server and offers an option to uninstall Zoom completely.
Attempts to resolve the problem
Following the discovery of the exploited vulnerability in Zoom’s video calling, the company promised to implement stricter security mechanisms to improve their system.
“To be clear, Zoom honors the user’s video settings,” they said in a press release regarding the vulnerability. “Video is central to the Zoom experience. Our video-first platform is a key benefit to our users around the world, and our customers have told us that they choose Zoom for our frictionless video communications experience,” they added.
And about what they did once they discovered the zero-day, they said: “Once the issue was brought to our Security team’s attention, we responded within ten minutes, gathering additional details, and proceeded to perform a risk assessment. Our determination was that both the DOS issue and meeting join with a camera on concern were both low risk because, in the case of DOS, no user information was at risk, and in the case of meeting join, users can choose their camera settings.”
Furthermore, the company also has promised to release several fixes all throughout July to remedy the problem. Starting July 12, first-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings, and their video will be OFF by default for all future meetings. Also, returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.
Zoom is “irresponsible”
While Zoom made an effort to circumvent the problems caused by the said zero-day, tech experts still believe that the mere fact that such vulnerability exists makes them “irresponsible.”
“Zoom’s efforts to circumvent Safari’s native security are completely irresponsible. The Web server ‘feature’ merely adds a small amount of convenience at a massive security cost. This is flagrant and deliberate security and privacy violation that raises serious concerns over Zoom’s internal security prioritization and threat modeling,” TidBITS Security Editor Rich Mogull said.
Nonetheless, experts advise users who have Zoom and RingCentral on their Mac computers to immediately uninstall them to avoid falling victim to the said exploitable vulnerability.