In theory, such a vulnerability can appear on any site – just a line of malicious code is enough.
Cybersecurity researcher Jonathan Leitschuh spoke about the vulnerability in the popular video call service Zoom. Due to the nature of the application, attackers can remotely activate macOS users’ webcams without their permission.
As Leitsukh explained, the reason for the problem was the ability to join calls when clicking on links like “https://zoom.us/j/492468757”. To do this, on MacBooks, Zoom, along with the application, installs its own local web server, which can interact with sites during Internet surfing.
Thus, the service bypasses the limitations of all popular browsers that do not allow sites to communicate with the localhost server. If Zoom had not used such a scheme, then when clicking on the link, the user would constantly be asked if he wanted to launch the application.
Using a GET request to the server, Leutshukh was able to connect to a call created by another account. Thus, he was able to connect to any calls without permission, if the users who created them had standard settings.
However, the researcher did not stop there and learned how to remotely activate users’ webcams. Since the local Zoom server runs in the background, attackers do not even need the application to be running. According to Leutshukh, it is enough to embed a short code from one line into the embed-content of the site or into an advertising banner.
As evidence, the researcher implemented the vulnerability by embedding malicious code into his site. Anyone can check her work by going to a special page . The code works automatically for users with the Zoom client installed and connects them to a call with a webcam without permission. If there is no program, a dialog box appears there asking you to give the necessary permissions, after issuing which the conference call does not start.
In the process of studying the work of the local server, Zoom Leutshukh also noticed that he was capable of not only launching calls. In case the user deletes the application from the computer, the server continues to work and allows you to quietly install the program back only when you visit the site with malicious code without any additional confirmation.
The researcher explained that he reported on the Zoom vulnerability in March 2019, and also offered several options for its solution, including “quick fixes” that change the logic of the server. He gave the company 90 days, but she responded only two months later and made only minor changes to the code.
As the researcher noted, there were still opportunities to add the user to the call without his permission and reinstall the application without the user’s knowledge. According to Leitsuh, Zoom also refused to turn off the sound and the webcam by default when connected to calls. The company noted that users deserve the right to choose how to use the application.
At the same time, users can fix the problem themselves with the remote inclusion of a webcam. To do this, it is enough to tick off “Turn off my video when joining a conversation”.
Zoom told The Verge and other publications that they use a web server to save clicks to users. The company defended its approach and called joining the calls “in one click” as their “distinguishing feature”.
A statement on the Zoom website says that starting from one of the following updates, when you first call, the service will ask users about the video and audio settings for future conversations. Representatives of the service explained that the Zoom client always starts in a prominent place and the user can leave the conversation at any time. The company also noted that they did not find signs of exploitation of the vulnerability.