Zoom boasts over four million users and 750,000 companies around the world opting to choose Zoom for their video conferencing needs. When it was revealed that the Mac version of Zoom videoconferencing service had a severe vulnerability, it set a panic across the globe. The vulnerability was exposed by security researcher Johnathan Leitschuh. It was first reported over 90 days ago but the Zoom team has yet to offer a proper security patch.
The vulnerability allows hackers to turn on the webcam to spy even if you have uninstalled Zoom and even activate programs running on computer remotely. Hackers exploit the bug by sending a link to a Zoom video meeting. They can then turn on your webcam and have complete coverage of everything you do.
Zoom has since released a statement confirming the vulnerability and addressed the alleged risks involved. They offered a guide for first time Zoom users and advised clients to configure their video settings to OFF video when joining a meeting. From the July 2019 release, Zoom will apply and save user video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn off video when joining a meeting. This change will apply to all of Zoom’s client platforms.
Boris Cipot, Senior Security Engineer at Synopsis Integrity Group, spoke with CyberSecurity Asean to share his thoughts on the seriousness of the threat and what users can do to mitigate their exposure.
How Serious is this issue?
Every security vulnerability brings threats and they should be treated as highly risky. This vulnerability however brings with it another level of risk for those who were just using Zoom as an invitee into a Zoom session. Imagine that you or your company decided to use Zoom as your meeting provider, you are doing all the necessary things to monitor the application and mitigate its vulnerabilities. But if you are usually not using Zoom and it just happened that you were invited in a Zoom session, you have the risk or the vulnerability also on your device and are not even aware this risk exists. This means that you are now a potential target for someone who wants to use this vulnerability as well--in this case to lower the performance of a machine or join a call with the camera activated without the user’s permission which is a substantial privacy intrusion.
How easy is it for an attacker to exploit this issue?
The attacker does not have to have the user’s permission to join a Zoom call. This means that the vulnerability is easy to exploit. In the described attack vector in the article, any web page could interact with the local web server and abuse the vulnerability. That being said, the vulnerability would be triggered if the target were to visit a site that abuses the vulnerability. Even if this is a scenario that will most probably not happen, think about phishing attacks. As said, the vulnerability is on your Mac already if you’ve used Zoom as a participant in a call. An attacker could theoretically carry out phishing attacks, spam or other attack strategies where the user would need to click a link, lure protentional victims on such a page and join them in a call without them knowing.
What can organisations do to mitigate their exposure to this threat?
The article by Jonathan Leitschuh delivers not only a good description of the problem but also a good mitigation procedure. He proposes to disable the ability for Zoom to switch on your camera automatically when joining a call. You can do this in the Zoom settings by selecting the option “Turn off my video when joining a meeting” or by using the Terminal. Also shut down the local Zoom web server that is running on your Mac and prevent it being run again after the update. The description how to do it is in the article. Also monitor Zoom for any notifications on patches and fixes for this vulnerability.