Zoom Spying Vulnerability: The Plot Thickens

Last week, we learned that the Zoom app for macOS has a nasty bug, allowing a hacker to spy on you. It allows remote access to your cam and mic, even after you’ve uninstalled the app.

Zoom leaves behind a locally running webserver. An Apple update fixes it, but now we find there are white-label versions of Zoom that come with the same bug.

RingCentral and Zhumu are the two we know about so far, but the Apple update doesn’t fix those. In today’s SB Blogwatch, we switch off all the Macs.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: scams.


Zoom RCE FAIL

What’s the craic? In case you’ve been living under a rock, here’s Savia Lobo with the CliffsNotes—“Apple patched vulnerability in Mac’s Zoom Client”:

 The Mac Zoom client vulnerability allowed any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. … On July 9, the same day when security researcher Jonathan Leitschuh revealed the vulnerability … Apple released a patch that removes the local web server entirely and also allows users to manually uninstall Zoom.

As the vulnerability was capable of re-installing the Zoom Client applications, Apple first stopped the use of a local web server on Mac devices. It then removed the local web server entirely. … After the complete update, the local web server will be completely removed on that device.

Nice. But what’s this? Nicole Nguyen—“RingCentral Is Also Affected By The Zoom Flaw”:

 The fallout from Zoom’s massive webcam vulnerability continues. … Security researcher Karan Lyons shows that the same flaw … affects RingCentral, which is used by over 350,000 businesses, as well as Zhumu, essentially the Chinese version of Zoom.

RingCentral … is urging all customers to accept the update (v7.0.151508.0712) patching the flaw. While the update removes a hidden web server containing the vulnerability from customers’ laptops … for people who have uninstalled the RingCentral app, there is no way to easily remove the hidden server.

On July 10, Apple released a silent automatic update … removing the hidden Zoom web server and protecting users from the vulnerability. The update does not remove the web server installed by RingCentral or Zhumu.

[The bug is] because of … a localhost web server … designed to run constantly in the background, and is automatically installed alongside Zoom’s desktop app. [It] was designed as a “workaround” to a security change in Safari 12, requiring users to accept launching Zoom before every meeting, a Zoom spokesperson said. [But] deleting the Zoom desktop app did not uninstall the web server.

Get the gist? Get it from Karan Lyons—“Fix for Zoom, RingCentral, Zhumu (and possibly more) RCE vulnerabilities”:

 These three commands do the same thing for the three most popular white labels of Zoom. … They remove the web server if it exists … and create an empty file and set permissions on it such that the hidden server cannot be reinstalled.

If you are aware of any other rebranded Zoom applications, please let me know.

Yikes. Jonathan Leitschuh—@JLLeitschuh—clarifies:

 All other Zoom white labels are assumed to be vulnerable. These are not yet removed by Apple.

Single sources of code do lead to vulnerabilities in all their users, but the same can be said for open source software as well. A vulnerability in a popular library means all its users are potentially vulnerable.

But why the webserver? Jeff Johnson explains, “A problem worse than Zoom”:

 On macOS, an app can register to handle URL schemes. … For example, an email client may register to handle the well known mailto scheme. [But] Safari now requires user confirmation every time that Safari opens an app that handles a custom URL scheme.

Constantly requiring confirmation is obviously incredibly annoying. [So] instead of using a custom URL scheme for their app, [Zoom] decided to install a localhost web server [to] receive the request and open the Zoom app.

Unfortunately, Zoom messed up their implementation in a number of ways. The worst problem was a vulnerability that allowed a maliciously crafted web page to add a Zoom user to a meeting without their consent.

How was Zoom’s little trick even possible in the first place? Why does Safari allow a web page … to make requests to a localhost server? Is this possibility not surprising to you?

The problem is actually worse than this. The major browsers … all allow web pages to send requests not only to localhost but also to any IP address on your Local Area Network! Can you believe that? I’m both astonished and horrified.

Can you imagine the possibility of a maliciously crafted web page loaded in Safari being able to access your … Apple TV or another AirPlay receiver … router and modem? … In general, there’s no reason why a page on the internet should be allowed to access devices on your local area network. … That seems absurd.

Do you agree? xvector does—totally:

 Totally agree. I don’t think it makes sense for an arbitrary website to send requests against ****ty IOT devices in someone’s home, for example.

The obvious, ethical solution is for the browsers to implement this layer of protection and make it obvious to the users when an access is attempted.

As does kabwj:

 I work as a web developer, I consider myself to be more or less well versed in security, and it would have never occurred to me that websites can make requests to devices inside the standard [RFC1918] private blocks of addresses. I think it stands to reason that these requests should be blocked in the same way requests to the file:// protocol are.

A forced update though? Here’s AmiMoJo:

 That’s the problem with silent, forced updates. You don’t have control over your computer, it belongs to Apple.

Imagine if Microsoft did this. People would be up in arms about how the evil empire can run arbitrary code on their computers and looking for ways to block it.

I’d prefer it to be patched, but with the user’s consent. As Microsoft have demonstrated, sometimes the cure is worse than the disease.

To which this Anonymous Coward is stuck in a moment you can’t get out of:

 Well at least they didn’t install a U2 album.

Meanwhile, bendbro eyerolls furiously:

 Should we disable localhost requests from webpages? Abso-****ing-lutely not.

In other news, the sky is blue, trees are green, and shooting yourself in the foot still makes you bleed.

And Finally:

Behind the QTech BPO scam


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Dee Teal (cc:by-nd)

Featured eBook
The Next Generation of Application Security

The Next Generation of Application Security

Application security is usually done by finding, fixing and preventing vulnerabilities, with an emphasis on finding solutions to prevent cybersecurity events in the future. However, many of the breaches we’re seeing are caused by a vulnerability related to the application, often because developers move so quickly to push out new code. AppSec promises to become ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 85 posts and counting.See all posts by richi