Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Jonathan Leitschuh
Jul 8 · 16 min read

CVE-Numbers

UPDATE — July 9th (am)

As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system.

UPDATE — July 9th (pm)

According to Zoom, they will have a fix shipped by midnight tonight pacific time removing the hidden web server; hopefully this patches the most glaring parts of this vulnerability. The Zoom CEO has also assured us that they will be updating their application to further protect users privacy.

UPDATE — July 15th

If you have updated Zoom to the latest version, you are now greeted with this new UI confirming you would actually like to join the meeting.

UPDATE — July 17th

It has since come to light that Zoom and 13 of their white label applications contained a Remote Code Execution (RCE) vulnerability. Zoom, RingCentral, Telus Meetings, BT Cloud Phone Meetings, Office Suite HD Meeting, AT&T Video Meetings, BizConf, Huihui, UMeeting, Zhumu, Zoom CN, EarthLink Meeting Room, Video Conferencia Telmex, & Accession Meeting. Apple has since silently removed these applications from your computer by utilizing MRT.


Foreword

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.

Yep, no joke.

Timeline

  • Mar 8, 2019 — Requested security contact via Twitter (no response).
  • Mar 26, 2019 — Contacted Zoom Inc via email with 90-day public disclosure deadline. Offered a “quick fix” solution.
  • Mar 27, 2019
    - Requested confirmation of reception.
    - Informed that Zoom Security Engineer was Out of Office.
    - Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.
  • Apr 1, 2019 — Requested confirmation of vulnerability.
  • Apr 5, 2019 — Response from Zoom Security Engineer confirming and discussing severity. Settled on CVSSv3 score of 5.4/10.
  • Apr 10, 2019 — Vulnerability disclosed to Chromium security team.
  • Apr 18, 2019 — Updated Zoom with the suggestion from Chromium team.
  • Apr 19, 2019 — Vulnerability disclosed to Mozilla FireFox security team.
  • Apr 26, 2019 — Video call with Mozilla and Zoom Security Teams
    Disclosed details of impending DNS expiration.
  • June 7, 2019 —Email from Zoom about a video call to discuss fix.
  • June 11, 2019 — Video call with Zoom Security team about impending disclosure. Discussed how Zoom’s planned patch was incomplete.
  • June 20, 2019 — Contacted about having another video call with Zoom Security Team. Declined by me due to calendar conflicts.
  • June 21, 2019 — Zoom reports vulnerability was fixed.
  • June 24, 2019 — 90-day public disclosure deadline ends. Vulnerability confirmed fixed with ‘quick fix’ solution.
  • July 7, 2019 — Regression in the fix causes the video camera vulnerability to work again.
  • July 8, 2019
    - Regression fixed.
    - Workaround discovered & disclosed.
    - Public Disclosure.

Details

On Mac, if you have ever installed Zoom, there is a web server on your local machine running on port 19421. You can confirm this server is present by running lsof -i :19421 in your terminal.

Here’s the code on the Zoom site that tipped me off to this localhost server.
Browser console logs when visiting https://zoom.us/j/492468757
The two numbers are the pixel dimensions of the image returned by the web server.

The Video Call Vulnerability

I created a personal meeting with a different account and cracked open Postman and started to remove parameters to see what the minimal GET request was that was required to launch a Zoom meeting.

  • confno=[whatever the conference number is]

The above-described behavior continues to work to this day! You can still use this exploit to launch someone into a call without their permission.



You can choose to enable a participant’s video camera when they join the call.
One line, it’s really that simple.
Or if you want the video camera activated, just embed a Zoom join link in your site with an iframe.
When responding to responsible disclosure, don’t go into PR spin mode. It’s counterproductive.

The Denial Of Service (DOS) Vulnerability

This same vulnerability also allowed the attacker to DOS any user’s machine. By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS. The following simple POC demonstrated this vulnerability.

Proof of concept for a DOS attack against any Zoom user on Mac

The Install Vulnerability

If you have ever installed Zoom on your computer, this web server is installed. It continues to run if you uninstall Zoom from your computer.

Takes arguments from some API request and uses it to craft a download URL used to upgrade the version of Zoom installed?
Ensures the download URL is only under ‘trusted’ subdomains.
  1. Open the Zoom client, then shut it down.
  2. Uninstall the Zoom client from your computer by dragging the Applications/zoom.us.app file to the trash.
  3. Open any Zoom join link and Zoom will ‘helpfully’ be re-installed for you in the Applications folder and will be launched by this web server.
You can clearly see the URL to be used to download the zoom installer if Zoom needs to be re-installed.

Fundamental Security Vulnerability

In my opinion, websites should not be talking to Desktop applications like this. There is a fundamental sandbox that browsers are supposed to enforce to prevent malicious code from being executed on users machines.

All localhost request from Javascript are forbidden by browsers.

Zoom’s Proposed Fixes

The fix proposed by the Zoom team was to digitally ‘sign’ the request made to the client. However, this simply means that an attacker would have to have a backend server that makes requests to the Zoom site first to gain a valid signature before forwarding the signature on to the client.

Conclusion

As of 2015 Zoom had over 40 million users. Given that Macs are 10% of the PC market and Zoom has had significant growth since 2015 we can assume that at least 4 million of Zoom’s users are on Mac. Tools like Zoom, Google Meet or Skype for Business is a staple of today's modern office.

Consequences

This is essentially a Zero Day. Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard. As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service.

Patch Yourself

If you want to patch this vulnerability for yourself you can do the following.
Disable the ability for Zoom to turn on your webcam when joining a meeting.

Instead of using the UI for the application to disable this, you can also use the terminal.

Notes For Researchers

Given the massive install base for Zoom, I highly recommend that other researchers take the time to explore this Zoom web server to see what other vulnerabilities exist. This being said, I also recommend that any researcher that finds a vulnerability in Zoom’s software does not directly report the vulnerability to Zoom. Instead, I recommend that researchers report these vulnerabilities via the Zero Day Initiative (ZDI). The ZDI disclosure program gives vendors 120 days to resolve the vulnerability, the ZDI will pay researchers for their work, and researchers have the ability to publicly disclose their findings.

If you enjoyed this story, please click the 👏 button and share to help others find it. Feel free to leave a comment!



InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Jonathan Leitschuh

Written by

Software Engineer at Gradle Inc. Security Researcher; Open Source Contributor

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade