In recent days the web application security audit specialist Jonathan Leitschuh revealed the existence of zero-day vulnerability in Zoom, the popular video conferencing software. Threat actors can abuse the “click-to-join” feature, which allows Mac users to join a Zoom session through a browser link, by installing a local server that executes requests from unconventional browsers.
If exploited, this vulnerability would allow
hackers to hijack Zoom sessions, forcing Mac users to join a call without
requesting their permission, in addition to activating the callers’ webcams.
The web application security audit specialist
claims that the local server persists on the compromised system even if the
user removes the Zoom application from their computer; Leitschuh even claims
that video conferencing software can be installed again automatically.
“The company has done little to correct this flaw,” he says.
Leitschuh released a demo of the attack after
revealing the flaw; using a link, the expert redirected Mac users who had ever
used Zoom right to a video conferencing session, even activated the webcams of
users who clicked on the link. “It is possible to embed such a link on any
website, as well as in advertisements or as part of phishing campaigns”.
Redirecting Mac users to a Zoom session
arbitrarily is not the only way hackers can abuse this service. According to
web application security audit experts from the International Institute of Cyber
Security (IICS) the presence of this web server on the compromised Mac
computers could generate denial
of service (DoS) conditions on the device by making ping multiple times
on the web server.
The specialist contacted the company last
March; on the other hand, Zoom released a security patch that disabled the
ability to enter a video conference automatically. However, this is not a
complete solution to the vulnerability, so the expert publicly disclosed it
after the company’s deadline for correcting the flaw was met.
For now, Mac users will need to implement some
manual settings as a temporary protection measure until Zoom definitively
corrects the vulnerability.