In recent days the web application security audit specialist Jonathan Leitschuh revealed the existence of zero-day vulnerability in Zoom, the popular video conferencing software. Threat actors can abuse the “click-to-join” feature, which allows Mac users to join a Zoom session through a browser link, by installing a local server that executes requests from unconventional browsers.
If exploited, this vulnerability would allow hackers to hijack Zoom sessions, forcing Mac users to join a call without requesting their permission, in addition to activating the callers’ webcams.
The web application security audit specialist claims that the local server persists on the compromised system even if the user removes the Zoom application from their computer; Leitschuh even claims that video conferencing software can be installed again automatically. “The company has done little to correct this flaw,” he says.
Leitschuh released a demo of the attack after revealing the flaw; using a link, the expert redirected Mac users who had ever used Zoom right to a video conferencing session, even activated the webcams of users who clicked on the link. “It is possible to embed such a link on any website, as well as in advertisements or as part of phishing campaigns”.
Redirecting Mac users to a Zoom session arbitrarily is not the only way hackers can abuse this service. According to web application security audit experts from the International Institute of Cyber Security (IICS) the presence of this web server on the compromised Mac computers could generate denial of service (DoS) conditions on the device by making ping multiple times on the web server.
The specialist contacted the company last March; on the other hand, Zoom released a security patch that disabled the ability to enter a video conference automatically. However, this is not a complete solution to the vulnerability, so the expert publicly disclosed it after the company’s deadline for correcting the flaw was met.
For now, Mac users will need to implement some manual settings as a temporary protection measure until Zoom definitively corrects the vulnerability.