Listen to this post
ICANN began to use the Zoom Meetings conferencing solution in early 2019 for all its conference calls, instead of Adobe Connect.
Zoom Meetings for MacOS security vulnerability (July 9 2019)
Security researcher Jonathan Leitschuh publicly disclosed the Zoom Meetings for Mac OS security vulnerability on July 9 2019.
The vulnerability in the Mac Zoom Client allowed any malicious website to enable your camera without your permission. This was done by the Zoom Mac client installing a localhost webserver to bypass the Safari browser asking to open the Mac Zoom client when a link to a Zoom meeting was clicked.
Furthermore the local webserver was still installed even if you uninstalled the Zoom Mac client that could reinstall the Zoom Mac client without any user interaction besides visiting a webpage.
Zoom’s response to the security disclosure (updated several times) at https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/ includes the release of an updated Zoom for Mac client. Futhermore, Apple has pushed a MacOS update to remove the undocumented webserver installed by Zoom.
Downloading the latest version of the Zoom Meetings App
This underscores the need to ensure that you should always have the latest Zoom Meetings application client at https://zoom.us/download for Windows, MacOS and Linux.
Ensuring your browser doesn’t open Zoom Meeting links automatically in the Zoom Meetings app
However, as Jonathan Leitschuh has noted, depending on your browser settings, a malicious webpage can automatically launch Zoom with your camera enabled without asking. This is true for Windows as well as for Mac for Firefox and Chrome browsers, if you set your browser to automatically open Zoom Meeting links with the Zoom Meetings App.
As Jonathan Leitschuh noted in his tweet :
Here is a Proof of Concept Link to see whether Zoom will autolaunch with your camera and mic enabled : https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
If your browser settings are set to always these type of Zoom links with the associated app, you will be automatically launched into a Zoom conference with your camera enabled.
How to prevent Zoom from auto-opening Zoom links on a webpage :
In Mozilla Firefox,
- Click the menu button and choose Options.
- In the General panel, go to the Applications section.
- Search for the Content Type zoommtg and select it.
- Click on the Action column in the zoommtg row to change the action to “always ask“
In Google Chrome:
This is harder for Google Chrome which saves such settings in a preferences file which isn’t accessible from the browser.
“Chrome allows external applications and web services to open certain links. For example, certain links can open a site like Gmail or a program like iTunes. If you set a default action for a type of link but want to delete it, clear your browsing data (https://support.google.com/chrome/answer/2392709) and select “Cookies and other site data.”
Here’s the more “hacky” way, courtesy https://gist.github.com/karanlyons/1fde1c63bd7bb809b04323be3f519f7e
- Navigate to chrome://version/ and find the path listed under “Profile Path”.
- Quit Chrome, open that directory, and then open the “Preferences” file. This will appear be a long line of text in a text editor.
- Look for the string
"zoomrc":false. If it either exist, remove them. If there is a comma immediately after either string, remove it as well.
- Save the file.
Test to ensure your browser no longer auto opens Zoom weblinks in Zoom
Visit Jonathan Leitschuh’s Proof of Concept page at https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html to see if your browser asks to open the Zoom Meeting Client.
This is what you should see in Mozilla Firefox :
and this is what you should see in Google Chrome
Do NOT select “Always Open these type of links in the associated app” in Google Chrome or “Remember my choice for zoommtg links” in Mozilla Firefox.
Consider covering computer camera’s
Finally, if you have a computer or mobile device with a camera (what device doesn’t?), consider getting a webcam cover which will physically cover the camera lens on your laptop or mobile, or webcam when not in use. This will help in cases where software vulnerabilities or malware being installed on your computer or device results in attackers to turn on the camera without your knowledge or permission.