Since webcams came into existence the product came with a huge “if”. The possibility of some other people accesses the webcam online when they least expect it. Webcams exploded in popularity in the late ‘90s, primarily for use in conjunction with early instant messaging services such as Yahoo and ICQ. Today, webcams are highly integrated to phones and laptops, and many mainstream monitors come with a basic variant. Its ubiquity is accepted by the public without much doubt, about the possibility of unauthorized people getting access to the webcams without their knowledge.
This same issue is now hounding the Mac Zoom webcam client in all Mac hardware. The flaw enables a malformed website to take access of the camera without the approval or even knowledge of the user. The vulnerabilities of Mac Zoom webcam clients are documented under CVE-2019–13449 and CVE-2019–13450 which were disclosed by the security researcher, Jonathan Leitschuh in his blog page. Pending the update of the Mac Zoom client software, an estimated 4-million users are affected across 750,000+ companies globally.
“This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call,” explained Leitschuh.
The worst of all, the auto-install of the flawed Zoom software happens without the need to ask for user permission. At the time of this writing, Zoom has not made any adjustment to the code, making the software uninstallable once installed in the system. The flaw is triggered by the Zoom meeting link feature when a recipient of the link clicks, the Zoom software is automatically installed in the Mac. Such behavior cannot be implemented securely, as per Leitschuh. A secure software always asks for user permission to install and the feature to be uninstalled cleanly if the user wishes.
Leitschuh in his blog highlighted the fact that he responsibly informed the security flaw to Zoom last March 26, and it took the company 10 more days to confirm that the issues actually exist. He met with the Zoom team on June 11, 2019, a full 18-days more before the end of the mandatory 90-day disclosure.
“A fully working POC that will launch you into a call with your video camera active can be found here. Warning: Clicking this link on Mac will launch you into a Zoom call with your camera activated! https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html,” added Leitschuh.
Mac Zoom developer responded to his feedback claiming that “user experience” is their primary objective for their software. The “seamless experience” of establishing an online meeting with colleagues remotely, hence the automatic configuration of mic and webcam is part of the functionality of Mac Zoom by default. They wish not to hassle their users of manually configuring their hardware just to establish a voice meeting.
“However, we also recognize the desire of some customers to have a confirmation dialog before joining a meeting. Based on your recommendations and feature requests from other customers, the Zoomteam [sic] is evaluating options for such a feature, as well as additional account-level controls over user input device settings. We will be sure to keep you informed of our plans in this regard,” emphasized a Mac Zoom representative.