Jonathan Leitschuh just reported “a vulnerability in the Mac Zoom Client” that allows “any malicious website to enable your camera without your permission”. The issue known under CVE-2019-13450 potentially puts at risk up to 750,000 companies around the world that use Zoom to conduct day-to-day business, Leitschuh said in a Medium post.
The CVE-2019-13450 vulnerability is present even when the Mac user has uninstalled the Zoom client, making it possible for a remote attacker to activate the device’s webcam. Why is this so threatening? Because Zoom is one of the most well-known cloud-based platforms for video, audio and screen sharing. The platform is widely adopted by enterprises across the globe as it enables webinars, online courses, meetings, training, etc.
However, the Zoom client app for Mac computers can allow attackers to execute remote arbitrary code. It should be noted that this attack is possible if it is chained with a separate vulnerability. The two vulnerabilities are the following:
DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-2019–13449
Information Disclosure (Webcam) — Unpatched —CVE-2019–13450
Shortly said, the issue is stemming from the click-to-join feature that has been designed to automatically activate Zoom thus making it possible for users to quickly join a video meeting using their web browser. “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine,” the researcher explained.
As stated, the only needed action is to click on an invite link. What the researcher discovered is that the mentioned feature needs a local web server on the system on port 19421. The port receives commands via HTTPS GET and any website in the user’s browser can interact with it. This behavior is rather insecure.
How Can CVE-2019-13450 Be Exploited against Mac Users?
The only thing an attacker would have to do is create an invite link through an account on Zoom’s website and embed it on a third-party website as an image tag or via iFrame. Then the attacker would need to convince the target to visit that particular website.
What did Zoom do to secure its users? Apparently, the company wasn’t efficient in its actions, as evident by Leitschuh’s post:
This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the ‘quick fix’ solution originally suggested.
As noted by the researcher, the vulnerability is definitely a zero-day flaw, which hasn’t been fixed in the 90-day disclosure period, which is the “industry standard”. This leaves more than 4 million users of Zoom on Mac vulnerable to the serious privacy bug.
However, users can still address the issue themselves by disabling the ability for Zoom to turn on the webcam when joining a meeting. There’s also a terminal command that can be used:
# For just your local account
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1