Zoom Vulnerability

The Zoom conferencing app has a vulnerability that allows someone to remotely take over the computer's camera.

It's a bad vulnerability, made worse by the fact that it remains even if you uninstall the Zoom app:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.

Zoom didn't take the vulnerability seriously:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a 'quick fix' Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom's planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the 'quick fix' solution originally suggested.

This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.

EDITED TO ADD (8/8): Apple silently released a macOS update that removes the Zoom webserver if the app is not present.

Posted on July 16, 2019 at 12:54 PM • 18 Comments

Comments

PretzelJuly 16, 2019 3:39 PM

This sounds like a case where the European GDPR might cause Zoom quite the financial headache.

John SmithJuly 16, 2019 4:05 PM

> Additionally, if you've ever installed the Zoom client
> and then uninstalled it, you still have a localhost web
> server on your machine

Holy Jesus what the...!??!

Uninstalled? check.

Oh. Yup. Totally uninstalled. Except for the web-server. Don't worry about it.

WHAT???!

Was this incompetence, inadvertant, or was it intentional? "yes, we left a web-server on there for the *feature* of silent reinstallation, in case the user ever changed his mind!"

These guys remind me of RealNetworks. Remember them? bunch of... underhand, slimey, nasty, spyware-before-spyware guys.

So, they leave a web-server behind after uninstallation.

Obvious question now : what is the app doing when it *is* installed, that they're not telling you about?

RealFakeNewsJuly 16, 2019 5:35 PM

What is wrong with the world? Today you can build cars that spontaneously catch fire, software that spies on you, aircraft that are rammed through certification and kill you, and no-one seems to care anymore??

What happened to scandal meaning the end of a company?

EstebanJuly 16, 2019 7:28 PM

RealFakeNews appears to believe that the Ford Pinto never existed, or the DC10, and that no one even spied on anyone before now.

And why would you bankrupt a company for a mistake? That seems extreme, like capital punishment for stealing.

smh

BobJuly 16, 2019 7:55 PM

@Esteban

RealFakeNews may be just saying it in hyperbole... but there is something that's worse in more recent decades than before: connectedness. Everything has been getting more and more connected to each other. Before, when some widget had a problem, it was limited in scope, in the sense that most people needed physical access in order to take advantage of the problem. Now, when everything's connected to everything else over the internet, this is no longer the case... More and more everything with any sort of a problem can have that problem exercised by anyone, anywhere in the world...

It's like the difference between just the criminals on my street trying to break into my house, vs EVERY criminal IN THE ENTIRE WORLD trying to break into my house... My house is a lot more vulnerable in the latter case, even if it has the same number of flaws it's always had. Criminals have the advantage then, and the only way to balance it back out is to make every house better than an electronic Fort Knox... or stop connecting everything. One or the other. Or maybe a bit of both, practically speaking.

PhilJuly 16, 2019 8:52 PM

It got even worse, when the web server existed without the Zoom app installed it was possible to exploit the server for remote code execution. https://nvd.nist.gov/vuln/detail/CVE-2019-13567

cf. https://nvd.nist.gov/vuln/detail/CVE-2019-13576
cf. https://nvd.nist.gov/vuln/detail/CVE-2019-13586
(not public at time of posting)

It got worse again, the same vulnerability existed across the range of branded "Zoom" clients, where other companies had paid to package Zoom under their own branding. Apple have now released an update that removes the web server installed by the branded versions too.

PhilJuly 16, 2019 9:01 PM

Ignore the CVE-2019-13576 in my above post, it's a mistake that I've copied across

AskingAdviceJuly 17, 2019 7:13 AM

@schneier (and others)
> This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.

I'm from italy and i have a zeroday for an iot device that we sell and it's made in usa. The device isn't cheap (around 3000$) but the authentication is very weak/not existent and can be bypassed, the device is enumerable on shodan.
So you can basically have full control on every device of this world...
I have contacted the usa company that makes the product in november last year. They never answered so i emailed them again asking if they received the email and they said "yes, we will also have a meeting with the engineer to finalize the fix"
Now almost one year passed and i have never received any update, i could email them once again but this is quite frustrating.
I don't know if it's legal or not to publish the details but even if full disclosure helps fixing the bugs and helps also if bugs aren't fixed (at least you know is bugged) i'd prefear to not publish the details. I don't see any gain in allowing random people taking over the devices (i can't prevent this since they are bugged but still...).
The problem is that we are the italian reseller of this device and i would like to avoid to damage the image of the company where i work... It's not even our fault.

So i'm asking advice on what to do now and the next time something similar happens.

I also have other zerodays hanging there for years:
-an (universal?) antivirus bypass zeroday that according to the company can't be fixed because is a platform limitation imposed by the os (i could try conact the os maker but it's a big company and i have no idea if they care)
-router takeover (attacking from lan), this is the most depressing, the company fixed it, sent me the update (it works!) but they never published the update on their website...

I have done all this for free and i'd obviously like to be paid for this (even a thank you woukd be enough for me) but it's quite depressing how difficult is to contact a company sometimes just to find out that the company doesn't care or doesn't publish the update.

Any tip is welcome, thanks.

MarcosJuly 17, 2019 10:26 AM

@Esteban

Well, the DC10 bankrupted a company. And it was caused by a series of unknown mistakes, not lack of applying known rules. It also was much less accident-prone than the Max-8 seems to be. ("Seems", because we are not getting enough of a sample size of the Max-8 to compare, ever).

Reggae_JohnJuly 17, 2019 4:30 PM

@AskingAdvice:

If your management takes security serious they have only 2 choices: Stop selling this product and break the contract with the vendor, or go public and warn your customers about the hazard your company has put upon them (and than do #1).

Also: Take a look at your countries penal code (or get legal help) and find out if you're punishable by law for not reporting on this "crime" you are committing: Knowingly not informing your customers about the vulnerability at large might be something that could make you end up in jail.

ThomasJuly 17, 2019 9:58 PM

@ Esteban

> And why would you bankrupt a company for a mistake? That seems extreme, like capital punishment for stealing.

If it's a mistake, a hefty fine. Enough to hurt and send a signal.
If it's deliberate, hold the board personally liable (up-to and including serious jail time).

Sending a company bankrupt is totally ineffective.

AskingAdviceJuly 18, 2019 2:30 AM

@Reggae_John
It's not simple as our company has been splitted in two companies recently and i'm not in the one that sells devices.
If i understand correctly gdpr the maker should inform about the data breach european users.
Luckily the device is not the typical iot device always online, usually is used offline, sometimes online not reachable from the internet (it just updload data to cloud) and only in few use cases you explicitly set it to be reachable from the internet so on shodan there are less than 200 devices worldwide.
I'll try to mail again the maker.

RealFakeNewsJuly 18, 2019 8:32 AM

@Esteban @Marcos

Yes, I was being hyperbolic, but the question was serious.

Not so long ago, having a cavalier attitude and killing or otherwise harming your customers would be very bad for business.

What happened that allows a company to do all manner of bad or illegal things in the open, and nothing happen to them?

It seems (particularly with anything internet-based) that you can steal from, hack, and just plain neglect your end-users with no ramifications whatsoever.

Why would you create an uninstaller that leaves a major server component behind? It appears to be intentional. Why?

65535July 21, 2019 9:19 AM

If I am correctly interpreting SecurityWithSam b log there are about eight apps that preform the "Zoom" style of spying. This also includes mapping lan networks. The browser spy problem is a bit bigger than one app.

Names of apps/extensions

Extension #1: Hover Zoom
Extension #2: SpeakIt!
Extension #3: SuperZoom
Extension #4: SaveFrom.net (when downloaded from en.savefrom.net using Firefox on Mac or Ubuntu)
Extension #5: FairShare Unlock
Extension #6: Panel Measurement
Extension #7: Branded Surveys
Extension #8: Panel Community Surveys

[possible CnC servers contacted]

54.209.60.63
54.175.74.27
54.86.66.252
52.71.155.178
184.72.115.35

see:
ht tps://securitywithsam[.]com/2019/07/dataspii-leak-via-browser-extensions/

[link broken to hinder bots]

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.