After initially defending their decision to install insecure local web servers on Mac users’ machines that posed a major security risk and could be hijacked by attackers, teleconferencing app Zoom has backtracked and has said it will quickly remove the “feature.”
News of the exploit first came via security researcher Jonathan Leitschuh, who published a detailed Medium post demonstrating how Zoom’s insecure implementation of a feature called “click-to-join,” which enables easy video meetings, could be used to connect Mac users to a chat room and activate their webcams without their knowledge by embedding some code in a website. (The local server also persisted after uninstalling the Zoom Mac client and would “happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage,” Leitschuh added – meaning anyone who had ever installed Zoom could potentially be exposed to the same risk.) Leitschuh aptly summed up his findings in the form of a website that, when accessed using a Mac that had Zoom currently or previously installed, would immediately open a video chat room as well as activate the users’ webcam unless they had a specific setting toggled.
Leitschuh wrote that Zoom had failed to heed his warnings for months and only implemented a partial fix at the last minute, while the company told ZDnet on Monday the technique was a “legitimate solution to a poor user experience” in due to changes in Safari 12 (namely, a privacy protection feature that forced users to verify they actually wanted to launch Zoom).
I mean, the platform owner decides that web URLs shouldn't open other apps without an approval click--a pretty sensible security measure. Your response as a company probably shouldn't be, "let's bypass this by invisibly installing a server that's a potential security hole."
— Jason Snell (@jsnell) July 9, 2019
But in a post on Tuesday the company conceded and said it has launched a patch removing the web servers from Mac machines. Per Wired, after security experts raised the alarm around Leitschuh’s findings, Zoom CEO Eric Yuan personally entered one of the chat rooms the researcher set up to announce the change:
“I’m seriously considering blocking the port used for that web server,” Mac researcher Thomas Reed told WIRED on Tuesday before Zoom announced the change. David Wells, a researcher who has evaluated Zoom security before, called Leitschuh’s findings “downright creepy.”
On Tuesday afternoon, company CEO Eric Yuan told Leitschuh and other researchers that Zoom would remove the local web server functionality it was using to bypass protections in Safari and facilitate instant meeting joins. Yuan shared the news in one of the Zoom meetings Leitschuh had created as a malicious proof of concept.
Zoom said it is also moving forward with a previously announced fix that will give users more control over default video settings when joining a call.
In an interview with the Verge, Zoom chief information security officer Richard Farley explained that the company was basing the move off of “feedback” from those “following this and contributing to the discussion.” Farley told the Verge, “Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks – we believe that was the right decision. And it was [at] the request of some of our customers.”
“But we also recognize and respect the view of others that say they don’t want to have an extra process installed on their local machine,” Farley added. “So that’s why we made the decision to remove that component – despite the fact that it’s going to require an extra click from Safari.”
“On the one hand it took over 100 days for them to actually take this seriously and it required public outcry,” Leitschuh told Wired. “On the other hand it’s a really good thing to see that a company can apologize for their mistakes and be willing to work with the community and researchers. It’s now on all of us to hold them accountable.”