Zoom patches webcam security flaw for Mac users

Video conferences are supposed to be easy, private, secured and limited to only the participants. But the Zoom video conference app failed in that regard— as reported yesterday, a tech veteran found a serious flaw in the app that made any Mac with Zoom installed open to outside webcam access.

Jonathan Leitschuh, the tech veteran who first spotted the problem late this March said that the problem is caused by the way Zoom is programmed to set up meetings and video conferences. To set up a conference meeting, users must send a web link to the participants to click and participate. Since Mac computers have different architecture compared to Windows-based ones, Zoom for Mac installs a standalone web server on every computer to make connectivity easier.

This gave attackers the opportunity to put malicious code on websites that connect to the hidden web server (e.g. the Outlook web app). When users visited these websites again, an attacker could have easily accessed the victim’s webcam at any time via the web server; and being a standalone software, the web server remains in the Macs that had Zoom installed, and stays there even when the app is removed completely by the user.

Calling the flaw “bananas”, MetaFilter founder Matt Haughey wrote on Twitter that he clicked on one of the proof-of-concept links shared by Mr. Leitschuh and he managed to get connected to three other users.

‘Surprising lack of responsibility’

Mr Leitschuh also said in his blog that when he first discovered the flaw, he contacted Zoom to let them know of it and warned that he’ll take it to the public in 90 days if it’s not resolved. After several discussions, the company proposed a “quick fix”, in the form of a patch, as he describes it.

Commenting on the matter, Eoin Keary, CEO, and co-founder of Edgescan said: “A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner. This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline.

“This is a breach of transparency and exposes individuals who believe they don’t have the software installed to attacks,” Keary continued: “Persisting a web server on a user’s machine whilst giving the impression it’s uninstalled is akin to a malicious threat actor. It’s underhanded and breaches trust boundaries.

“A very poor decision by the folks at Zoom,” he added.

Zoom, on the other hand, defended themselves, saying that it would be obvious if someone falls prey to hackers as the app is programmed to be the foremost window on users’ screens, however, they’ve rolled out an update that changes the way meeting links are set up. It also ensures the webcam is turned off by default to address the issue.

Physical security: Webcam lens covers

When cybersecurity lets you down, the best solution is to always cover yourself physically; and in this case, covering your webcam physically.

“This is a good example of why you should never overlook physical security,” said Lamar Bailey, Senior Director of Security at Tripwire.

“The little adhesive camera covers available by the dozens at every computer conference or for a couple dollars on Amazon are a much better solution than relying on software to do the right thing. We install so many apps these days it is hard to keep up with the permissions they require and what they turn on by default on upgrades and reinstalls. A physical barrier is far superior’.

In fact, it is also best to prevent any applications from accessing the internet if it doesn’t need to; “If you can airgap parts of the network then do so. IoT devices should be segregated on different segments or virtual networks whenever possible. The more access a system or network has, the more susceptible it is to breach.” Bailey added.