Unpatched Zoom client allows any site to force Mac users into video chat

Video conferencing giant faces criticism after downplaying bug

UPDATED A security researcher has gone public with an unpatched vulnerability in the Mac version of the Zoom video conferencing app that allows a malicious website to auto-join users to a video or voice call and enable their webcam without permission.

A related but now-patched vulnerability in the Mac Zoom video conferencing client also creates a means to repeatedly invite targets to join an invalid call – a tactic that might be harnessed to mount denial-of-service (DoS) attacks on unprotected systems.

This DoS vulnerability (CVE-2019–13449) is fixed with the Zoom client version 4.4.2. The information disclosure (webcam) vulnerability (CVE-2019–13450) appears to remain unpatched.

Security researcher Jonathan Leitschuh claims that he informed Zoom about the issues on March 26. He says that the app developers sat on the vulnerability before coming forward with an incomplete fix.

“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” Leitschuh explains in a technical blog post published on Monday, some days after the 90-day public disclosure deadline he gave Zoom to act had expired.

Zoom’s Mac client installs a local web server on devices that stays on systems even after users have removed the app. Zoom will reinstall itself without asking permission even if users have previously uninstalled it, Leitschuh said.

This means those who no longer use the app are equally vulnerable to exploit, providing they are tricked into visiting a booby-trapped website.

Fortunately, there’s a simple (albeit incomplete) fix. Users can partially protect themselves by disabling the ability for Zoom to turn on their webcam when joining a meeting.

In his blog post, Leitschuh details the vulnerability and a range of workarounds, as well as offering a proof-of-concept exploit, independently verified as functional.

Zoom came up with a response to Leitschuh’s concerns, downplaying the auto-join video conference issue.

“The Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately,” it said.

“Also of note, we have no indication that this has ever happened.”

Security researchers have argued that this response is inadequate.

Challenged on its response thus far, a Zoom PR representative told The Daily Swig that it planned to release an uninstaller app.

“We did not have an easy way to help a user delete both the Zoom client app and also the Zoom local web server app that launches our client,” Zoom said. “This was an honest mistake.

“The user needs to manually locate and delete those two apps for now. By this weekend we will introduce a new app to help the user easily delete both apps.”

This article has been updated to include comment from Zoom.