Zoom Hack Lets Attackers Access Mac’s Webcam, Affects 4 Million Users

Jul 9, 2019

Webcam hacks are something that keeps every well-informed computer or smartphone user on their toes. Users are often advised to keep their webcams covered unless using them, and manufacturers such as Apple equip their devices with a light that turns on if the webcam is activated. While the integrity of such indicators is a subject of debate, we've got a big vulnerability for Apple's macOS today. This vulnerability isn't the company's fault though. Instead, the onus for its blame lies on the popular video chat app Zoom (NASDAQ:ZM). Take a look below for more details.

Zoom Vulnerability For macOS Allows Websites To Access A System's Webcam, Affects More Than 4 Million Users

If you're using Zoom, then you might be at risk. In a vulnerability discovered by security researcher Jonathan Leitschuh, a vulnerability in the app can allow hackers to gain access to your Mac's webcam. This is a result of Zoom's app creating a web server in macOS which allows the machine to accept requests that regular browser will not. This, in turn, allows a website to forcefully join a user in a video call, with the user's webcam activated.

Related Twitter for Mac returns! Here’s our first look at the new Twitter App for macOS Catalina

Zoom's web server on the Mac is running on port 19421, and according to the details, the webserver installed by Zoom (NASDAQ:ZM).can also reinstall the app on a Mac if a user had previously uninstalled it. The reinstall bit of the vulnerability is particularly vulnerable in case of expired domain registrations for domains listed inside the application. One domain, for zoomgov.com, had its domain expiry set for May 1st, 2019. If Leitschuh had not disclosed his discovery to Zoom on 26th, the expired domain would have allowed hackers to install corrupt versions of Zoom on their Macs.

Screenshot from Jonathan's proof of concept link.

Additionally, another important discovery made by Leitschuh reveals that Zoom's web server on the Mac bypasses Cross-Origin Open Resource sharing policy by returning data ''encoded in the dimensions of an image file''. After further research, Jonathan was also able to bypass a user's choice to activate their video for a Zoom (NASDAQ:ZM) call. By embedding a Zoom join link in a website, or an advertisement, hackers can force users to join a video call with the users' webcam turned on, without the users' permission. Furthermore, as the local Zoom web server is running in the background of a Mac, the user does not even need to have the app up and running for the exploit to work.

All it takes is a single click to access users' web cameras.

When Leitschuh contacted Zoom and asked them to disable the meeting creator's ability to turn on participants' video, he received the following response:

Zoom believes in giving our customers the power to choose how they want to Zoom. This includes whether they want a seamless experience in joining a meeting with microphone and video automatically enabled, or if they want to manually enable these input devices after joining a meeting. Such configuration options are available in the Zoom Meeting client audio and video settings.

However, we also recognize the desire by some customers to have a confirmation dialog before joining a meeting. Based on your recommendations and feature requests from other customers, the Zoomteam [sic] is evaluating options for such a feature, as well as additional account level controls over user input device settings. We will be sure to keep you informed of our plans in this regard.

Initially, Zoom patched the creator's ability to turn on participants' video camera, but this patch regressed on July 7th. The company's solutions to the vulnerability were to:

  1. Digitally sign each request made to a client.
  2. Lock the request making IP signature.

However, the researcher was able to bypass both these fixes.

Related MacBook Pro 2015 Banned From Flights Of Select Airlines

If you're running Zoom (NASDAQ:ZM)., you can patch the vulnerability by accessing the application's setting in Preferences. Or, you can run the following commands* in Terminal:

# For just your local account
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

To kill the webserver that's running in the background you'll have to:

  1. Find the process ID of the process by running "lsof -i :19421".
  2. Kill the process by running "kill -9 [process number]."
  3. Delete the "~/.zoomus" directory.
  4. Run "pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;" and "pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;" to prevent the server from restoring after updates.

Given Zoom's user base, and how companies and universities around the world use the application for communication, the application's developers have a lot to answer for. As this saga unfolds, we're bound to see interesting developments.

Zoom filed for its IPO (Initial Public Offering) in March, and the company went public on April 18, 2019. Its stock closed at $62, up from the initial price of $36. This vulnerability will affect the company's stock price negatively, especially as it isn't the first one to affect the video communications application. Zoom's stock opened at $90 at the start of today's trading and is at $$89.78 at the time of writing.

The company has been described as a 'unicorn' by Wall Street, indicating that investors do not expect it to live up to the hype generated by strong investor response in Zoom. As news of this vulnerability starts to spread, the company might see its fortunes reverse. Additionally, short sellers will get excited at the prospect of the company's stock price going down.

As for its part, Zoom reported $122 million in revenue for its Q1 2020, beating analyst estimates by $10 million. It also reversed a negative Free Cash Flow of $1.1 million in Q1 2019 by reporting $15.3 in FCF for the quarter. The company gave optimistic revenue forecasts of $535-$540 million for the year 2020.

As a reminder, Wccftech is not responsible for any loss incurred from trading conducted based on information in this post. Conduct your due diligence from other sources too before putting money in the market folks.

Thoughts? Let us know what you think in the comments section below and stay tuned. We'll keep you updated on the latest.

*All commands are courtesy of Jonathan Leitschuh.