Zoom’s response to this[1] is a wonderful example of how not to respond to security issues. It includes the classic tropes:
* Our users don’t care about security.
> Our video-first platform is a key benefit to our users around the world, and our customers have told us that they choose Zoom for our frictionless video communications experience.
* We have no way of knowing if this has been exploited in the wild, so it’s probably fine
> Also of note, we have no indication that this has ever happened.
* Other products have the same vulnerability
> We are not alone among video conferencing providers in implementing this solution.
* We decided not to fix it
> Ultimately, Zoom decided not to change the application functionality
And also a lovely one I haven’t seen before:
* We tried to buy the researcher’s silence, but he refused
> Upon his initial communication to Zoom, the researcher asked whether Zoom provides bounties for security vulnerability submissions. Zoom invited the researcher to join our private paid bug bounty program, which he declined because of non-disclosure terms. It is common industry practice to require non-disclosure for private bug bounty programs.
> Zoom invited the researcher to join our private paid bug bounty program, which he declined because of non-disclosure terms. It is common industry practice to require non-disclosure for private bug bounty programs.
Is an NDA really "common industry practice" for bug bounty programs? I know NDAs are common for pen-testing but it seems like an odd (and kind of dishonest) requirement for a bug bounty program.
Some kind of NDA terms are not unheard-of. Like a 1-3 month period in which to work on things during which disclosures won't go out.
That said, there's a slight disconnect between Zoom's two statements here. The first is that the researcher declined out of concerns over Zoom's NDA. The second is that NDAs are common. What this doesn't say is that Zoom's NDA is cookie-cutter or what the specific terms are.
If I were to guess, Zoom was using some unusual NDA and attempting to buy permanent silence.
Will they pay the rest of your team and your spouse as well? "I've already sent these results to a few colleagues around the world to test out, but don't worry, they won't disclose anything for 90 days".
Also, they seem almost entirely focused on "unwittingly joining a meeting" as the real problem here, ignoring the fact that they have made the extremely poor choice of exposing a dodgy control API on your mac to the entire internet. What are the odds there are no bugs in this shitty little HTTP server they snuck onto everyone's machine? The fact that they came within five days of losing control of one of the domains that has the power to install arbitrary code on every mac running this thing is absolutely insane, and they should be asking themselves 1) how that happened, and 2) how utterly screwed they would have been if they lost control of that domain.
In a more amusing alternate universe, someone discovered the zoomgov.com vulnerability, waited until it expired, snapped it up, then published an "update" that uninstalls zoom entirely. In a nastier one, they used this idiotic design flaw to pwn every zoom client machine out there.
It's exactly how you want to respond if you plan on sharing it publicly on Twitter in the hopes of fooling those not in tech.
If my mom stumbled into that article, she would likely think they perfectly explained everything (well... she would likely contact me but, still).
Given this news is already not sticking near the top of hacker news and barely reported elsewhere, it feels like they are already getting away with it for the most part.
> All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF. For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting.
> Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.
TBH, they're not as dismissive as you're sounding them to be
That part just doesn’t seem very responsive. Unless Zoom is recommending that everyone should turn it OFF, and urgently releasing a patch to make OFF the default, why does it matter that the vulnerability is in an optional feature rather than a mandatory one?
That is a pre-existing feature, and while it mitigates one specific aspect of the issue, it doesn't represent a security-focused response. Yes, I am saying that's not good enough: an appropriate, non-dismissive response would commit to writing code to deal with the issue raised, subject to the industry standard 90-day embargo. Depending on how much importance they place on their user's security.
Stayed on that call for over 3 hours and I just have to say that it was one of the best experiences I've had on the internet in years.
People behaved pretty good considering it was a random public Zoom call (except for a few trolls, but nothing really bad).
It just felt like the internet of yore where random people would meet and chat and just be nice to each other.
Lots of interesting topics, people from all over the world, lots of surprised faces, random camera sights out the window, someone with a unicorn mask...
It was a blast. Thank you Jonathan for a great time!
I listened for a long time, learned a lot as well.
This made me think - is there any website that facilitates you to do such public conferences on zoom like clients. Basically a bunch of people who are interested in a certain topic could join and chime in - go from topic to topic. It could be a very healthy discussion. People could post and schedule meetings and essentially anyone who wants to learn could join. I do listen to podcasts often, but such meetings would be pretty different than podcasts.
Does this already exist?
Interestingly, I implemented every mitigation listed in the article: kill the web server process, remove and add an empty directory at `~/.zoomus` to prevent it being re-added, remove Firefox's content type action for Zoom, and disable video turning on when Zoom launches. When I visit a Zoom join link or the POC link above, Firefox prompts me to open the Zoom client to join the meeting, and when I click "Open Link" the client opens just as it should and joins the meeting.
This seems to confirm that there is no functionality to create a seamless experience for the user that actually requires the presence of the web server. If you don't have the client installed the page can prompt you to download it the same as it would the very first time you download and install it. You can ask your browser to remember the link association and not be prompted for which app the link should open going forward. These are minor steps, even for a regular user, and ones with which most users are likely already familiar.
To me this further illustrates that the web server is truly just a ploy on Zoom's part to keep their hooks in users' systems, and have a way in that the user isn't privy to. Any other excuse they are giving about "enhanced experience" is dubious at best and deceitful at worst.
> You can confirm this server is present by running lsof -i :19421 in your terminal.
Might be good to specify what the output would be if the vulnerability is present or not, like this:
"If the server is running on your machine, you'll get a line specifying which process is listening to that port. If the command returns empty, your machine is not vulnerable."
Huh, I'm on Windows and it auto-joined the meeting too, with video enabled. I wonder if this is because at some point in the past I opened a Zoom meeting and allowed Chrome to open the Zoom URI in the Zoom app?
Great chat, I think you were right when you said all vulnerabilities should have a video conference for Q&A after release. It was really helpful to get a better understanding of the platform and the threats facing it.
The key thing here is they think this is a fair trade-off because Safari asks if you want to open Zoom.
> This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
I do not believe that this is a fair trade-off given that any website can act on this locally installed server.
EDIT: I think they need to be made aware that this isn't acceptable. My reply to their support team:
I do not believe this is a fair trade-off - allowing any arbitrary web site local control of privileged software installed on my machine - because Safari offers a security prompt (specifically so that any arbitrary web site does not gain control of privileged software on my machine). I will be switching ~/.zoomus/ZoomOpener.app off, and considering other options until it has been fixed.
I realised I had a paid account, so I've cancelled that too. And I've also reported them to Apple, after seeing that the ZoomOpener app reinstalls the client - which is completely and utterly unacceptable.
> I think they need to be made aware that this isn't acceptable.
Oh, definitely. I cancelled my subscription because of this, but I wonder if the reason will make it through the corporate fog.
What is worrying is that more and more companies think it is fine to install "helpers", "openers" and other cruft. I recently removed several, and I still have to use software that scares me sometimes (DYMO web printing, Brother web printing). This should not be considered OK.
> I wonder if the reason will make it through the corporate fog
I really doubt it. Given the change control policies of huge corps and how awful it is to get anything new/get rid of anything they'll just toe the zoom party line and keep it.
> This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine. I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely. Come to find out, it really hadn’t been implemented securely. Nor can I figure out a good way to do this that doesn’t require an additional bit of user interaction to be secure.
Does anybody understand (and have a moment to explain) why the author says this is difficult to do securely? macOS has a simple facility for handling custom URL schemes, so my impulse would be to have `https://zoom.us/j/492468757` do a server-side redirect to a URL like, say, `zoomus://492468757`, which would launch Zoom locally using the OS's built-in services. This wouldn't require a third-party daemon of any sort, and would just be a regular application that the user could trivially uninstall.
Is there a security hole there that I'm missing? Or have I misunderstood the author's point?
A custom URI wouldn't work as seamlessly as zoom's UX team would have liked. If you hadn't installed zoom, either a nasty message would tell you the protocol wasn't supported, or it would redirect you to a google search.
Their answer was to send people to a URL they controlled and brought you through the install process as easily as possible, but the issue they needed to solve was determining if you needed to have an install or just redirect to the app.
They broke so many security rules just to shave off a few inconvenient seconds, and those seconds rose them to the top.
Ah, yeah, the flow for when the app isn’t installed makes particular sense (at least as a motivation for why someone would implement something so awful). Thanks!
You seem to imply that they have an UX team but not a security team, so nobody convinced anybody else that this wasn't a good idea.
Without genuine security orientation, even if an expert realizes there is a security problem, who wants to be the boring paranoid pessimist who wastes time and attempts to ruin products, only to be staved off by the efforts of more productive employees that focus on adding value?
I have some experience with this, you can use javascript on the https:// meeting link to detect if the app protocol (zoom:// or whatever) exists. If the app protocol exists then go straight to the app protocol link. If it doesn’t then prompt the user to download and install Zoom. The JS is a bit messy and requires a few different approaches but it works on all popular browsers on Windows and Mac (Linux support wasn’t needed, so not sure).
Of course, the browser will pop up a confirmation dialog to ask if you want to open the Zoom app but this is a feature not a bug.
The basic problem is that you enter a meeting by loading a URL, and loading URLs is something any website can do. There probably needs to be a confirmation step before joining a meeting.
A custom URL scheme would at least provide an opportunity to confirm launching Zoom, even if Zoom itself didn’t confirm joining s particular meeting (which I agree it should).
i didn't see that. for me it just failed and to join a meeting now i need to open the zoom client and copy the meeting id manually. not a big deal for me, just wondering...
If Universal Links was supported on macOS we could get the best of both worlds.
The web server basically presents meta-data in a JSON-file (in the .well-known directory) which Safari/iOS uses to launch the app if it is installed, and otherwise just renders the webpage [0].
The app contains information about which domains it allows itself to be opened from which would fix this issue.
Universal Links are better than their localhost webserver insanity, but don't really solve this. A malicious website can still redirect you to a zoom.us URL that will instantly join the meeting without confirmation.
The underlying problem is that they want a URL to join a conference call hosted by any random user and share your audio/video without confirmation. And it's simply not safe to trigger that kind of action from a URL.
Positively terrible... Kudos to this researcher. I liked Zoom when I used it a couple of times, but the reinstall “feature” is a huge violation of my trust. Software from the company behind it will not touch my system anymore. Too bad really, because properly working video chat is hard to find. The App Store model is not my favorite, but at times like these, a forced sandbox and inspection by a trusted third party start to look like the only way forward.
If you had a sandbox, you wouldn't even need anyone to inspect it - since all the app's files would be contained in one place, uninstalling it would remove everything, and there wouldn't be a way to leave a server behind.
In response to all of the well-deserved criticism, Zoom just made two updates to their blog post[1] to announce that they will be completely removing the webserver for all macOS users in a new release tonight, and also adding an option prompt going forward:
JULY 9 PATCH: The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following: 1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device. 2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
PLANNED JULY RELEASE: Additionally, we have a planned release this weekend (July 12) that will address another security concern: video on by default. With this release: 1. First-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. 2. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.
You know you've blown it when the following appears in a buzzfeed article about your software:
> open the application called, “Terminal.” Copy and paste this text: lsof -i :19421. Press enter. You’ll get a string of mumbo jumbo. Underneath the text “PID,” copy the string of numbers underneath. Then type “kill -9” (without the quotes), add a space after -9 and paste the PID string of numbers. Press enter. The server has been killed.
What I'd really like to see now is them addressing the fact that their initial response to this was terrible, as if whoever was making the decision had no idea how bad this design was from a security standpoint.
> We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server.
Including the local web server that definitely doesn't exist anymore anyway after this patch?
I uninstalled it via their new patch, but it doesnt remove all files. I think its just caches and logs left but who knows. If you want to purge this malware with fire you still need to follow the instructions at https://apple.stackexchange.com/questions/358651/unable-to-c...
HIPAA provides an effective strategy for holding Zoom’s feet to the fire in cases like this. Since the company markets compliant video conferencing for healthcare professionals, they are classified as a Business Associate. It is quite likely that a well-written complaint on the HHS Office of Civil Rights site would result in further investigation and regulatory action.
Only insofar as that people usually do not complain. I’ve worked with software clients on OCR investigations that were prompted by far less substantial complaints.
Not sure I follow the CORS angle. The linked stackoverflow question mostly seemed to be someone who was confused about how CORS works, and the issue in the Google Chrome tracker was closed as WontFix because they couldn't reproduce it and said it should work.
I'm nearly positive that CORS from localhost works OK. I set this up all the time for local development. For example, I run a client CRA app on localhost:3000 and an API on localhost:3001. The API sets the CORS headers and the CRA app can make requests to it.
If this is correct then I believe all Zoom needed to do is have their localhost application set CORS headers for their production domain. This would have allowed AJAX communication and only allowed it for Javascript running on their domain. Instead they did this totally hacky method that lets the whole world interact with the localhost server...
Maybe I missed something but if they could have done this the right way and didn't that is much worse IMO...
You're 100% correct, and while someone has pointed out the proper headers that need to be set on the bug report here: https://bugs.chromium.org/p/chromium/issues/detail?id=67743, it's been drowned out by people who don't seem to understand the issue:
I'm trying to think of the real-world implications and how this would play out.
Normally this would be pretty obvious, wouldn't it? Users would see Zoom open into some weird meeting, and close it.
Presuming the exploit cannot avoid bringing the Zoom app to the foreground when it joins the meeting and activates the camera/mic. If it can do that and stay in the background, all bets are off.
In spite of its obviousness, it's still pretty darn scary --
Scenario 1: malicious website/app opens link while you're sitting there.
You're sitting in front of your computer, you see Zoom open, you're like "WTF?!", close that shit, uninstall Zoom; hopefully discover how to permanently remove it (it otherwise leaves a localhost http server running that can reinstall itself).
But crap the hijackers have, even with a few seconds of video: your face, your surroundings, the audio of your surroundings, all of which can increasingly be fingerprinted. That alone is very scary. Just to be in an unintentional meeting for a moment is very disturbing. A violation of sorts.
Scenario 2: malicious website/app delays opening the link until some threshold of mouse/KB inactivity is reached.
Activate the Zoom link and hope the person is AFK. Spy on their home/office/whatever. Also a violation.
Are there other scenarios I am missing?
Personal note 1: I'm happy I switched to a Linux laptop after finding last year's MBPs disappointing (and the TB revolting; I have a physical escape key!).
Personal note 2: I do actually like Zoom a lot, it's an awesome video conferencing app. But this should be fixed for Mac users.
I wonder if this works in an electron app (like Slack maybe) displaying it?
Maybe you could intentionally send this link to someone shown as inactive on Slack, and have the WSlack webpage preview thing run enough javascript to pop open Zoom with the camera and mic running...
I'd test it myself, but I deleted Zoom and the sneaky localhost web server while I read the article...
It says that the server sends an image with certain dimensions back as an error code, so I wonder what you could do if you served some simple HTML that uses the local server as a meta tag that renders in the preview?
I imagine slack would do that on the client since it’s built on electron.
> Activate the Zoom link and hope the person is AFK. Spy on their home/office/whatever. Also a violation.
I think this is the most likely scenario. There are ways you could potentially delay it (e.g. they leave a tab open and you don't open the link until a certain time)
Scenario 1 extended: Add this into an ad or a popover for a porn site and potentially capture some very compromising footage.
Scenario 3: Add it as a tracking pixel in an email.
I guess there are all kinds of scenarios since it's an unsecured API that responds with an image. You can trivially embed it in anything that renders HTML.
Well, the company and product are dead to me now, gonna hassle our CTO to switch. I just really hope theres some dev at Zoom who hated this whole installing backdoors idea who's gonna have the greatest "I told you so" day at the office tomorrow.
We work with a lot of hospitals and find that video conferencing tools are often blocked by their IT departments for security reasons. I’m expecting Zoom to find itself on that list in short order.
“On Mac, if you have ever installed Zoom, there is a web server on your local machine running on port 19421.”
...
“All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running. This is still true today!”
This server is still running on my machine despite having "removed" Zoom a few months ago (macOS).
Guess I was a bit naive in thinking just trashing the .app and immediate artifacts in Library would do the trick.
EDIT: I missed the .zoomus directory in my home folder that had the culprit. Funny enough Zoom's instructions on how to uninstall the app on macOS just points to documentation from Apple and wikiHow (???) with standard methods that don't fully remove Zoom.
I'm sure Zoom intentionally failed to tell you how to remove the web server. After all, if it's still running, then it's just that much easier to reinstall Zoom on your machine.
I’m surprised more enterprise IT orgs haven’t flagged this behavior, or simply made it impossible via local machine policies that would prevent running a web server.
Does anyone know how this web server starts itself after restarting your machine? As far as I know, a `~/.zoomus` directory can't restart a web server after your machine restarts.
It doesn't start on boot, it starts on login. It appears as a Login Item named ZoomOpener in your local user account in the System Preferences -> Users & Groups.
Additionally, when you launch the main application, it will check to see whether ZoomOpener is running. If not it will boot it up. The main app will install and register ZoomOpener as a Login Item if necessary.
> This being said, I also recommend that any researcher that finds a vulnerability in Zoom’s software does not directly report the vulnerability to Zoom. Instead, I recommend that researchers report these vulnerabilities via the Zero Day Initiative (ZDI). The ZDI disclosure program gives vendors 120 days to resolve the vulnerability, the ZDI will pay researchers for their work, and researchers have the ability to publicly disclose their findings.
On my Mac, I have uBlockOrigin installed in my browser and I have it configured to always block 3rdparty and 3rdparty frames and it prevents both the POCs completely.
I have one browser that I use for work email and video conference, where system grants access to camera/microphone to the browser and browser allows Google Meet to access camera.
I have another browser where system does not grant access to any of the devices - camera, microphone, USB etc - and I use that for web surfing.
And I strictly don't install any plugins for video calls. I have refused to join meetings where people try to make me install random binary software on my machine. There's always phone call for such situations.
I feel better about dedicated apps on iPhone where again I can install and grant permissions before the call and then uninstall the app completely. On iPhone I don't do any web surfing. I have Firefox Focus for occasional emergencies to open the unknown web.
Refusing to install software for video calls is a good policy. Also, having a throwaway workstation for such things (also Skype, which is spyware of the worst kind) is useful too, for when it’s a pre-sales call and security can’t outweigh closing a six+ figure deal.
and I am in the crowd of mac users who tape over their camera. when it comes to video conferences at most I have ever seen the desktop shared. what type of work do you do that uses the video for portions other than the presentation?
You weren't asking me, but I run into this same thing.
In my business -- project management software -- I'm in online meetings a LOT (say, 20 hours a week?) because everyone in my company is remote. We have never, ever used video. It just doesn't come up. Nobody wants it internally, and none of our customers ask for it in external meetings. I don't think any of them use it internally, either (and many of our customers are large, distributed organizations with offices all over the place).
This seems normal to me.
My neighbor is an IT VP for a health care concern. She travels a lot (30-40%), and when she's home she's in online meetings pretty much all the time. And in her company, video is ALWAYS included. I have no idea why, and neither does she; it's a cultural thing.
The upshot, though, is that I work in t-shirts and cargo shorts, and she has to be "office ready" even though she works at home. However, I will note that, if I run into her outside when she's walking the dog, it's not unusual to see her in a nice blouse, hair and makeup done, but wearing yoga pants or whatever. Which is its own kind of hilarious.
Sounds like false security thiugh- at least the camera has a light (which last I heard has been hardware level synced with the camera) so you know if someone's watching but what you have no control over is the microphone
Video meetings are so much more effective than audio meetings. I went from a company that always uses video to a company that rarely uses video and the difference is huge.
Often the most important parts of meetings are nonverbal.
To ubermonkey's point, some of this can be a company culture thing.
Certain teams at my workplace use webcams all the time, others never. My team leverages them quite a bit, as our team is all over the world. It helped solidify our team members not just as random voices on a phone line, but as actual people who we will likely never meet in person.
Another small thing (big for me) Zoom does is register their app as the handler for `tel:` links every time you launch it, with seemingly no way to disable that. Companies that make themselves the default for something on your machine by force are not to be trusted.
I’m not surprised they start a web server from under their users, and that their response to the vulnerability was lacklustre.
Why isn't zoom running fully in the web browser at this point? Meet does this, and as far as I can tell the quality is indistinguishable from Zoom. Can someone with a better understanding of the underlying protocols shed light on why Zoom continues to ship a separate desktop app?
To allow meeting participants to use the web client to connect to a meeting requires the meeting host to explicitly enable the option in their advanced settings (it is disabled by default).
"as far as I can tell the quality is indistinguishable from Zoom"
In my experience, the quality is similar to Meet when all parties have great internet connections. But if one or more parties has high/variable latency or packet loss, then Zoom provides a much more smooth experience.
Not related to zoom, but I'm working with a team which uses 'highfive'. I can't, for the life of me, get the downloaded desktop app to ever work. There's this perpetual dance of "you need to be logged in" and "register now" and "log in". I was thinking it was something to do with the VPN, but it seems to be the same on or off. However, grabbing the full URL and pasting in to Chrome, works like a champ. I'd prefer to use the desktop app, but I can only get the browser version to work.
Why is the web client (on Chrome, etc) so bad on Zoom ? I mean, people are building Google Earth on the browser .Its not just the bad video experience - even the product experience is seriously broken.
For example, the default audio setting when you sign in to the web video client is to connect using PHONE AUDIO. In case you figure out how to click the tab to use computer audio...it breaks down a couple of time in asking for browser permissions (camera, mic). It is unusually bad for something that is supposed to be that good.
hangouts still rules when it comes to web based video conferencing. And for countries with massive linux based usage (like India), Zoom is not a very viable option.
Jitsi Meet is also an excellent web-based video conferencing tool. They also have a basic comparison of WebRTC vs Zoom [0] which is actually has the same demonstration video as your second article. I posted a basic overview elsewhere in this thread [1], and I would strongly recommend it.
The Zoom client on Linux used to (?) have a nasty command injection. The URL for joining a meeting got passed to some bash reinvocation (so they could set the library path if my memory serves me). A specially crafted URL could execute commands on the system. I haven't been too interested in using Zoom since seeing that.
At least that was patched. These sorts of issues are frustrating, because as a Linux user I really want to like Zoom -- I appreciate that the treat all platforms pretty equal (Mac, Windows, Linux, Android, iOS) with native apps. That is a rarity.
For the longest time the Linux client would just crash randomly. It also tends to heat up your laptop and use all of your cores at 100% if you're looking at someone's screen.
Just run `strace -f zoom 2> wtf.zoom` to see all of the shit it does (looks like it is polling for events like crazy).
I tested the repro-steps and found that the ZoomHelper was not listening, although it was installed . In this case i was prompted to download zoom.pkg rather than activate video.
I'm guessing it was because I have MacOS firewall = strict (no listening ports)
Also, here's a nice tip to show all listening apps (good habit while cleaning up)
"To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files."
So a browser allows a random remote website access to stuff running on the localhost interface? Is this a good idea? Stuff like camera access I can at least disable...
The browsers allows anything according to the CORS configuration on the target website. Perhaps it would be a good idea to prompt for access to localhost/127.* resources.
Hosting a web server on localhost is the equivalent of adding a backdoor on your customer's machines. How does a product team even reach this decision?
The most charitable interpretation of the Superhuman read-receipt problem is kinda the same thing: they had an idea, thought it was good, and then did some deeply shitty things to make it work. And nobody at Zoom or at Superhuman had the organizational power to stop it.
Do you know if this vulnerability might manifest in other ways, and permit remote participants to force you into sharing or viewing your screen silently?
One of the first times I'd ever used Zoom was in a call with a startup trying to pitch my company on something. The remote participant said something later in the call that was uncannily prescient and related to notes I had in a separate application window. I wrote it off as coincidence, but the phrasing used (and the fact that it was an answer to a question I hadn't asked) seemed nearly verbatim to my written notes.
This is crazy, heres a video what happens after deleting and opening your URL.
https://www.youtube.com/watch?v=DMY7Z9Fe0ic
Before testing that I had the app itself removed months ago...
These meeting apps feel like the browser plugins of the 2000's. There are so many that do almost the same thing they now resort to seriously insecure methods to make sure you have theirs installed and never remove it.
Apparently one less click is a competitive advantage, whatever the cost.
I don’t get Mozilla and Chromium’s responses. I can think of few cases in which a website should be allowed to issue requests (CORS, img, or otherwise) to an address on the local network and none whatsoever in which a website should be able to contact localhost.
The fix seems straightforward. Require user permission to access the local network (subject to appropriate heuristics as to what “local” means). Require a config option and user permission to access localhost. Problem solved.
The problem with asking permission is dialog fatigue and similar.
As far as supporting local content: Historically a lot of terrible (read: Enterprise, H&R Block tax software, etc) apps are glorified webpages, coupled with a local server that provides things like FS access and malware installation. Those apps use a kludge of remote and localhost urls, and generally expect to work.
I suspect at this point though that browsers will just start going for the "no access to localhost" route as this practice is mercifully dying out (alas in favor of Electron apps shipping full, but out of date, browsers).
To me the bigger problem is: Zoom installed a server on a machine, without consent, with the ability to install software (without consent). Removing the browser's access to that service doesn't mean anything because an attacker can always just directly attack the server.
Even if the server locks connections to exclusively coming from localhost they've provided a service that can install and launch software, which can therefore be used as a sandbox escape - e.g a super constrained network service gets compromised - the idea is that service can't modify the filesystem or what have you, but now it can just connect to localhost and get a file written to disk.
People keep on complaining about apple "locking down the system", but its because of developers like Zoom that Apple needs to do this: and average user is not going to see this post, and Zoom has clearly decided that it is in their interests to leave a service running that can install software for them.
I hope that apple drops the XProtect hammer on the server binary, and the ban hammer on their signing cert.
> The problem with asking permission is dialog fatigue and similar.
That’s why I suggested config option and permission. There’s no dialog fatigue if you never see the dialog.
That being said, there really ought to be a little menu of permissions that can be granted to a website such that the website cannot make it blink, flash, or otherwise draw attention to it. Crud like “allow push notifications” could go there. Granting push notification permission to a site is fine, but I don’t think sites should be able to ask for push notification permission.
What if you have uninstalled Zoom? It seems that it leaves a web server on your machine that will re-install Zoom if it receives a request to join a meeting.
The whole reinstallation thing freaked me out, since I did try Zoom a while back, but apparently my own uninstall process kept the reinstallation hack at bay.
By this I mean:
I have no local web server running on 19421; and
Your link doesn't launch or reinstall anything for me.
Now, something I do that most people probably don't is periodically check StartupItems as well as the LaunchAgents and LaunchDaemons folders, so I can remove anything left over.
I do not mean to trivialize this problem, because what Zoom has done here is egregious and unforgivable, BUT is it accurate to say that the reinstall behavior depends on
1, usage of Chrome and
2, the presence of a StartupItem / LaunchAgent / LaunchDaemon?
I ask because it didn't work for me, even though I still had the ~/.zoomus shit in place (obvs, I don't anymore).
I just want to make sure I understand it properly, and that I've taken the necessary steps to prevent Zoom's unwelcome return.
I use uMatrix, and I've seen localhost show up as a domain a site tried to connect to quite a few times. I never gave it too much thought since I block all non-first-party resources by default anyway, but I now realise it could indicate the use of tricks like this to attempt to communicate with some other process running on my computer. I'll now make sure to look closer whenever I see this. I bet Zoom isn't the only one doing things like this.
They're not wrong. Empirically, users explicitly preferred Zoom because it lacked the "ask the user" step before starting a session. Less security is a user visible advantage.
Same problem Microsoft faced when it added "UAC" in Vista. Admittedly the implementation might not have been the best from a usability perspective but I think any attempt at implementing proper privilege management in Windows would have had many users complaining and not seeing the point.
I guess the lesson here is not to give your users bad habits for the sake of convenience otherwise it'll backfire if you ever want to do things right later. MS had everybody run as root for decades before they finally decided that it might not be such a great idea after all, and then they had to face annoyed users and bad publicity.
That being said I can't really imagine how having a non-intrusive "do you want to start the call" dialog before initiating the call can be considered a deal breaker. I assume you could even reduce that annoyance further by adding a "don't ask me again for this website/user/whatever" checkbox. Do you really think that would hurt Zoom significantly? I've never used their product so I can't really form an educated opinion.
This is especially stupid because I have no doubt that now that it's been made public some people will abuse the vulnerability, if only for fun.
It wasn't bad habits, up to Windows XP which introduced user separation on consumer oriented Windows (NT and 2K were meant for businesses and businesses who had networked PCs were really meant to use those) all personal computers were fully controlled by their users without any notion of privilege separation - this is a behavior that traces its lineage back to the original Altair 8800. Computers weren't networked and those who were were either running a different OS (NT, Unix, whatever) and/or controlled entirely by a single entity (a company). Or just didn't care and used Windows 9x.
And honestly i do not think it is bad habit even today. UAC is intrusive, the main reason you do not see it as much as at the past is because applications nowadays work around it: see how Chrome or even VS Code saves the executable files for their updates to your %APPDATA% folder (where normally regular data are going) to avoid the UAC annoyance of going through Program Files (which makes the UAC protection pointless) or how app stores like Steam change the permissions to "everything allowed" to be able to modify the folder contents.
People are using computers to do specific tasks they want to do, anything else is an annoyance and something they'll want to avoid.
Today's security issues come from things a lot of developers and companies simply do not want to acknowledge: trying to put everything online, connect all computers together, trying to have everything controlled by whoever writes the applications users use (putting everything online is a way to do that), trying to come up with monetization schemes where users pay nothing out of their own pockets, trying to make users pay subscriptions instead of one-off fees (the excuse is often that they have to somehow keep their servers going, willfully ignoring that the developers/companies are those who decided to make something run on a server in the first place and that by doing that they are the ones in control).
A lot of security issues would be gone if computers weren't so connected to each other. Sadly i do not see that happening any time soon since no developer wants to give up that sort of control (some developers nowadays do not even know how it is to not have it) and no company wants to get rid of the biggest excuse they have to ask for continuous payments.
Personal computers back in the 80s and 90s were very insecure, but that didn't matter because they weren't so connected as they are today. It isn't surprising that pretty much all famous security issues of the time (like the ILOVEYOU worm) happened exactly as that connectivity started getting widespread.
I think the only hope there is is that the IoT craze will blow up everyone's collective faces and realize that it might not be such a good idea to connect everything after all. Sadly the more cynical side of me thinks that what will happen instead is the introduction of more draconian user hostile measures which end up with the users losing every more control to big companies that control their devices and OSes in the name of security and usability (more like dumbability) and any voice against that would be marginalized as "you are a power user, you do not matter" (ok princess, then what are power users supposed to use after you lock down everything? - i guess the answer is somewhere between "expensive licensed workstations" and "nothing, now piss off").
They’re not incorrect. They are, however, wrong to think that users not caring about security means they don’t have to care either. Product makers have a duty of care beyond what their customers have.
No, less friction is a user-visible advantage, less security isn't user-visible, for most users, until sometime after the vulnerabilities exposed thereby are exploited and, when it becomes user-visible, is very much not considered an advantage.
Also, most users of zoom are job applicants - so theyre more likely to care less abt security because they really need to be in that interview session.
This is not even remotely true. We use at everyday at my workplace (Education) - thousands and thousands of employees as well as students . All of our contemporary peer institutions do the same.
Micro Snitch is a small MacOS toolbar application which runs in the background looking for system calls made to the camera or the microphone. It visually indicates when either are being used and logs the activity to a file for future review.
Do people who understand networking better than I do (i.e., almost everyone) want to explain how to universally prevent this localhost garbage? Like, some kind of firewall, combined with a simple command line trigger to open up a port when I actually want to? There's gotta be an open-source firewall for this kind of thing, right?
The notion that some random app can just spin up a server on localhost without my permission is completely insane. Also, this is why Gatekeeper, and the App Store "walled garden" are good---nothing should get the kind of permissions necessary to run a fucking localhost server that can reinstall a deleted app w/o user interaction!!
Even if you have the camera disabled (and I never gave camera permissions to zoom to begin with), it will still join a random stranger's meeting, which will leak your name (or whatever name you have configured). This may be important for some.
yup, shocked me when i noticed. changed the name and unchecked the 'remember name' feature. but it turns out that unchecking that will prefill the user account name, and next time the remember name feature is checked again. so that the only two choices are: either remember the name used last, or, if you uncheck it, have it fill in the account name.
Zoom’s UX has always come off as invasive. An application default that allows hosts to enable automatic camera join is an overstep, and the lengths they go to facilitate this while ignoring long standing, industry standard appsec guidelines to prevent XSS is relatively unsurprising yet hopefully not inconsequential to their enterprise customers.
I guess he reported to Chrome first because that’s what everybody uses, found their answer (or lack of answer) unsatisfactory, and then went to report to Firefox.
It should be pointed that an empty directory (even if owned by root) placed in your home directory can still be deleted by you, without requiring root. You need to place a file into the directory.
Or if you want something drastic, run
chflags simmutable ~/.zoomus
as root. This will make sure that not even root can delete it.
In order to verify that the opener was running, I ran the following command.
ps aux | grep zoom
To kill the opener I ran the following.
killall zoom
Then I followed the rest of the instructions above to create a locked down version of the directory. You could also create a file called .zoomus instead (similar to the suggestions made farther down this comment thread).
UPDATE no need to do this any more. Zoom actually conceded they were wrong and pushed out an update that removes the local webserver: https://imgur.com/gallery/INvYaH4 (from the discussion below in the thread).
Has anyone torn down recent-era Macbooks to see if the camera LED is still hardwired to the camera power and a reliable indicator that can't be software disabled?
This is even crazier, because a webpage could load the iframe or img tag lazily, long after the page has been opened and is in the background because the user left the tab open, and the user would have no way of knowing which page is responsible for opening Zoom.
Furthermore, in Chrome, the webpage can set a timeout which brings the browser window back into focus. So for example, if Zoom usually takes about 1 second to open, then the browser could set the timeout for 1100ms, so that zoom is only visible to the user for a split second before it's backgrounded with their camera enabled. Either of the following will bring Chrome back to the foreground:
The latter is a little less of an alert to the user that something has happened, since it could be used to reload the current page without the offending image or iframe tag, which would look to the user like the page just randomly reloaded itself.
If you do this audio-only there isn’t a telltale LED on the camera to give away that you are doing it. I’m way more worried about audio bugging than a webcam (which really only has the user’s face)
That's a hard problem to solve. An audio alert that the microphone has turned on would obviously be rejected by consumers, unless maybe some fancy processing were used to remove that alert sound from the recording. But even so, an audio alert would presumably only play once while the indicator light remains illuminated the entire time.
On the other hand while an indicator light is good for the camera, it's not sufficient for audio. If the computer is facing away from me, then the camera can't see me so my inability to see the camera light isn't that huge of a deal. But audio goes around corners so I could be recorded by a computer not immediately in eyesight.
If there were some reasonable third sensory channel to available for "out of band" communication, that would be ideal. But consumers will reject smell-alerts.
Investors would care if they thought Zoom’s customers cared enough to switch. I personally think this is terrible, but investors don’t seem to think Zoom’s customers care enough to change to a competitor, which makes me second guess whether or not this is actually a big deal to large customers.
If a company’s stock drops after a major vulnerability, you should buy. Equifax exposed everyone’s financial data and their stock is back above their pre-breach price.
Can’t Zoom add their own simple prompt to the local server which gets confirmation from the user that they want to join the meeting? Just one more click and not “nasty”.
No amount of security features can rival a small piece of black tape over the camera.
It also makes crypto-phishing (you've been recorded doing X, pay Y BTC) much harder to fall for. Where software could (and eventually will) be compromised, the attacker would have to physically access the machine to remove that tape.
AFAIK the light is controlled by the camera's firmware. So unless someone is able to hack that, the light will always turn on with the camera. That said, even Zuckerberg has sticky tape over his camera.
Just this morning we were on a Skype for Business call which, predictably, was a hot mess. We mentioned Zoom. I was on their home page. I was this close [ ... ] to installing it.
a) Apple removing Zoom from the App Store (at least for a fixed amount of time before they patch* this nightmare up),
b) releasing an update to MacOS that breaks Zoom's server completely (I know, I'm asking for too much here).
*talking about patching is a bit exaggeration here because this is not a bug this is a fucking trojan disguised as conferencing app, I'd truly truly block them from App Store for that, as a fellow developer I'm writing this with heavy heart but the incompetency of Zooms developers is enormous here, CEO can say anything he want but I'm pretty much sure it's impossible he was not aware of the fact how the core of his product works. It's not even unethical, you really have to have no imagination to do something like this.
Also - there's a different issue - Macs seem to be pretty solid when it comes to security but looks like ANY installer can just spin up web severs on our machines and we won't even know? I'm just a simple developer, not a devops, how can I prevent this in happening in the future? If they did it once they will do it again. And if not them then someone else. Any hints? Should I scan my ports every morning and see what can go through every single one of them?
It's been a while since I've been a Mac user but I used to use an app called 'Little Snitch' which would notify you about outbound traffic, perhaps it has a mode that can do something similar.
Safari asks you if you want to open an app that owns a URL scheme to prevent webpages from automatically triggering behavior you might not want.
Zoom decided they know better than the Safari team and decided to install this local webserver specifically to bypass the operating system's security policies, supposedly because "it is their key differentiator" or whatever.
Basically their product managers decided they wanted it to work a certain way and demanded someone do whatever nasty hacks were necessary to make it happen.
It turns out their nasty hack doesn't set the proper CORS policy so any random webpage can force you to join a meeting.
It also turns out they don't do what mac apps are supposed to do: keep this crap inside the app bundle so dragging the app to the trash effectively uninstalls everything. Instead they install to ~/.zoomus, don't document that fact, and if you hit a zoom link after "uninstalling" they automatically reinstall themselves.
Oh and they let the registration for one of their domains expire and nearly lost control of it, which would make this a RCE because their client doesn't do anything to validate their update packages as far as anyone can tell.
you forgot one more thing: they don't distribute their crap as a regular self-contained .app, they give you a .pkg which asks for elevated privileges during installation (this is why I don't have it installed)
Those little tricks to make things easier is why it's popular and why they're currently valued at $25,000,000,000 (though that should go down quite a bit tomorrow, still just an insane number for a company with $8m in annual profits).
Does this work in the Tor browser to launch the zoom client and expose your identity?
edited: after some research it is clear that this would work in the Tor browser. So if you are logged into Zoom using your real ID a malicious Tor site could launch the client and harvest your name. And if you are only using the browser bundle (and not routing all traffic through Tor) Zoom and/or Zoom+government could use this to expose the real IP of tor users.
"Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day."
So... what's the best way to really really uninstall Zoom client from our Mac?
It's mentioned in the article. After uninstalling the main application, you also have to kill the helper app named ZoomOpener. The article gives some Terminal commands to do this, but you should be able to find it in Activity Monitor if your more comfortable there. Once you kill ZoomOpener, remove it from the list of Login Items in System Preferences -> Users & Groups. Lastly delete the folder called .zoomus from your home directory. You can do this in Finder, but it'll be hidden by default, so you'll have to use Go -> Go to Folder... or some other trick to expose it.
The first time I installed Zoom, I opened up a pkg (an Installer package) and Installer said this package wanted to run a script to determine whether or not it can be installed. Usually this is for checking system version or some other harmless action. But for Zoom, this script immediately installed Zoom itself. I immediately thought something fishy was going on.
Ok here's the thing. Open Google Hangouts, or any other website that asks for permission to use your webcam, then close the tab. Go to terminal check if VDCAssistant is running using `lsof | grep -i VDC` it returns that it is running. I've had this issue since 2015 so I'm glad someone is talking about this now.. Is it just me?
> When you run a program that uses your Mac's webcam, OS X will launch a background process called VDCAssistant, which manages the connection and control of the camera. While this process should quit when the program stops using the camera, it may persist if an error occurs, and prevent future connections to the camera, either by the same program or by others.
> Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
A workaround to legitimate Safari security improvements.
I hope the Wall Street Journal and CNBC skewer this company and shred the stock price.
It always makes me wonder why people keep tape on camera sensor but don't care about microphones. Maybe I'm wrong but I think things you and other people around say can be of more value to the attacker than what you do or how you look like.
Apologies in advance if someone has already commented about this, but it would appear that Zoom removed that local web server feature for the MacOS version a few days ago:
---
Current Release
July 9, 2019 Version 4.4.53932.0709
New and Enhanced Features
-General Features
--Option to uninstall Zoom
Zoom users can now uninstall the Zoom application and all of its components through the settings menu.
> [UPDATE 2:35 pm PT, Tuesday 7/9] The July 9 patch to the Zoom app on Mac devices detailed below is now live. You may see a pop-up in Zoom to update your client, download it at zoom.us/download, or check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.
--
Looks like Zoom have decided to remove the Web Server from MAC and pushed out an update directly to the clients (before this, you couldn't get the Zoom Client to check for updates automatically) - The popup appeared post meeting.
The sad thing is that Zoom will probably get away with not fixing this, or fixing it much later than they should.
If you look on Twitter, anyone that has complained about this (huge) vulnerability is being redirected back to their blog post.
To make things worse, most non-technical users that have caught onto these posts are replying to say "thanks for sorting it out!"
This wouldn't be the first time a company sweeps a data leak or vulnerability under the rug. I remember when the Panera Bread stuff kicked off, and all they had to do was bury their head in the sand and wait for the storm to pass. There's currently a lawsuit in progress, but will that happen for a vulnerability like this?
I always thought it was paranoid to keep tape over your webcam, but this makes a pretty good case for doing that as a last line of defense.
I also want to express my complete disbelief that Zoom basically installed a back door on all its users' machines. It's hard to imagine a competent engineer not understanding the security implications of building something like this. I have no special security expertise, so when I see an exploit that I can actually understand it scares the living daylights out of me. In this case just about anyone with a web page can trigger this Zoom vulnerability.
Does anyone know of any working alternatives? We use Zoom a lot, it has the most hideous UI and the worst UX but so far it's been the only video platform that reliably works with tens and hundreds of attendees.
Jitsi Meet [0] is the simplest video conferencing solution that I have ever come across. To use it you go the website (or the mobile app) and that's it.
You have a free, private, end-to-end encrypted, efficient, multi-participant video chat which allows screen sharing and shared document editing. It works on every modern browser, you don't need to create an account, and you don't need to install an app (except maybe on mobile OS's). It's open-source and you can run your own server.
Searching my Macbook using to see if I have this on my machine using lsof, I found that I did not have it. But there is a suspicious "Adobe Desktop Service" listening on localhost:15292. I wonder what sort of fun things that would enable a random website to run on my machine. I don't even use Abode products, willingly, on this machine. Though I probably have installed at least one in the past.
I'm no infosec expert, If I wanted to figure out more about what this process was up to, how would I go about it?
So how does one remove these from their machine ? I can kill the process but it will just start again when I restart the machine. Also how do they do this ? I thought all startup items will be shown under Login Items in System Preferences.
If you want to test it without using your real webcam, I recommend CamTwist [1]. The author is in the group video call now. I joined for a short minute, and was relieved to see that my real webcam wasn't being used.
Normally I use CamTwist so I can write subtitles on top of my video feed when chatting with my gran. It seems it's also a good layer of extra security!
I did a test with myself and a coworker. I’m using macOS 10.12; he’s using 10.14. We both have up-to-date Zoom clients.
In our Zoom clients, we both already had the “Turn off my video when joining a meeting” box checked.
I set up a meeting, with participant video set to On, as the article describes. I took the new Meeting ID, launched Zoom, and joined my new meeting. I then sent my coworker the join URL using Slack.
My coworker clicked on the link, which opened the URL in Safari. Safari asked my coworker if he wanted to launch Zoom. My coworker confirmed that yes, he wanted to launch Zoom.
My coworker’s Zoom client did _not_ automatically start video. I never saw video come in from him.
I just received this message prompting me to "Update now."
Release notes of 4.4.53932.0709:
## Remove local web server
- We are discontinuing the use of a local web server on Mac devices. Following the update, the local web server will be completely removed from the Zoom installation Option to uninstall Zoom
- Zoom users can now uninstall the Zoom desktop application and all of its components through the settings menu
I just got an update! Good job Jonathan Leitschuh!
Release notes of 4.4.53932.0709:
Remove local web server
-We are discontinuing the use of a local web server on Mac devices. Following the update, the local web server will be completely removed from the Zoom installation
Option to uninstall Zoom
-Zoom users can now uninstall the Zoom desktop application and all of its components through the settings menu
> To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files.
> To prevent this server from being restored after updates you can execute the following in your terminal:
note the last part where the directory is removed (~/.zoomus) and touch creates a file ~/.zoomus. I am assuming a re-install will fail because it cannot create a directory again when there is already an existing file.
My guess is that if sometime in the future you want to use zoom again, the install will fail until you remove the file ~/.zoom
Not having to cede control to the user. If the user wanted/wants your software they know how to install software at this point. They also have a much better mental model of what that means.
This is thoroughly disappointing, given that Zoom is among the few popular conferencing programs that aren't complete garbage for Linux users. Thankfully the Linux client doesn't appear to be affected AFAICT, but this is trust-shattering nonetheless.
Is anyone noticing that port `19421` no longer has anything listening on it? We are noticing some machines suddenly stop listening on this port but they have not downloaded any update. In zoom patching the running web server without user interaction?
I'm surprised that Mac doesn't have a built-in firewall that warns if an app installs something that listens on a port. They advertise OSX as being "secure by design."
I'd guess the reason is that, if you don't have any of the native apps installed, and you click a Zoom meeting link, the browser will download the native client installer. There's no mention at all on the download page that there is a web client.
My job requires me to use zoom for communications – is there anyway I can run zoom in a container or something, so that when I kill the app all traces of it are gone?
"According to the Zoom team, the only reason this localhost server continues to exist is that Apple’s Safari doesn’t support URI handlers."
Which is simply wrong. macOS (and i*OS) have supported custom URIs forever. What feature are they wanting? Do they want random websites to be able to install URI handlers?
GoToMeeting and Zoom are two things I always insist not to use. There are perfectly acceptable online-only counterparts that don't need to infect my computer.
Would be interesting to see a list of software that installs a local server (http or otherwise) and whether or not it typically runs in the background on startup.
What blows my mind the most about all of this is how such a successful company has managed to engineer such a shitty solution to this very common problem. I’m not even speaking from a security standpoint (which is a catastrophe) but this feels like some holier than though neckbeard wanting to literally reinvent the wheel on everything. Encoding enum’s as images served from a local web server with various pixel widths??? You can’t make this up. I never liked their UX and now I guess I don’t like what’s under the hood either. Good riddance.
The title is click-baity. What it allows is a website to automatically join you into a meeting with the camera enabled and without you asking. So it's annoying, but it doesn't let a website secretly grab your video without you knowing.
The reason webrtc has permissions per site is because webrtc can indeed grab your video without you realising, so it's important to give each site permission to use your camera. This isn't the case with zoom...it pops up a massive window when you enter the meeting.
Blown out of proportion. A real vulnerability I wish was handled more seriously. But at the same time, even after I “fixed” the vulnerability, my preference in Chrome to always open links for zoom, with zoom, made it nonsense. The problem is with lax browser security and CORS as a product “feature”.
It is worth underscoring that the only reason this vulnerability exists is because Safari forced appropriate prompts? Zoom hacked around it, and got away with it. That’s on browsers to fix.
...no thanks. The author already mentions links you can use to check literally no reason to advertise this unless you, OP, are being malicious and/or didn't read the actual article.
I did read the article, and I don't have malicious intent. I was just trying to make a more easily sharable URL for people trying to test if they are vulnerable. I include links to the medium article and an update that there is now an update released to fix this web server issue.
Note: "Zoom" is a videoconfrerencing app, not a built-in Mac OS accessibility feature for "zoom".
The article does not clearly state this, ceding a plain English word to a corporation, enabling a takeover of human language.
P.S.: This part
> Apr 26, 2019 — Video call with Mozilla and Zoom Security Teams
is funny, and would be way funnier if it was an non-consensual video call.
Finally, note that Zoom effectively does not pay for bug bounties, so researchers should think twice about donating their expertise to a selfish for-profit corporation, and users should think twice about using a videochat product that allows its entire security team to take blackout vacations, and also doesn't pay its outsourced sercurity researchers.
Finally, note that Zoom effectively does not pay for bug bounties, so researchers should think twice about donating their expertise to a selfish for-profit corporation
I've read this a few times and am curious if this has really become the prevailing view about what security researchers are doing (i.e., uncompensated labor) when they notify vendors about security vulnerabilities.
The traditional view (which I think was widespread in the 90s or whatever) was that engineers who find vulnerabilities in products have a special responsibility to the public, and owe a duty to the people at risk: the users of the product (or whoever would be harmed if the vulnerability were exploited to malicious ends). Just like if you used your training as an engineer to discover that the Bay Bridge had a structural flaw and that drivers were at risk (or, in the case of Diane Hartley, that the new Citicorp Center had a design flaw and officeworkers were at risk). And this duty can be discharged a few ways, but often the most efficient way to help the people at risk is to educate the vendor and keep on their ass until they fix the problem in a free update. If the vendor pays you, fantastic, but you shouldn't accept payment that would prevent you from discharging your duty to the people actually harmed by the vulnerability's existence (e.g., if you take the vendor's money and it comes with an indefinite NDA, and they never fix the problem and the users remain at risk of being harmed by bad actors forever, you have not behaved acceptably as an engineer). This view probably emerged at a time when bug-finders mostly had salaried jobs and were privileged not to have to depend on payments from the same vendors they were annoying with information on their product's flaws.
A newer view (probably informed by bug bounties, etc., and also a broader community of people doing this stuff) seems to "no more free bugs for software vendors" -- that researchers who find vulnerabilities in commercial products are producing knowledge that's of value to the vendor, and the vendor ought to give them compensation for it, and if the vendor doesn't want to do that, the researcher would basically just be doing uncompensated labor to give it to the vendor, and is free to go sell the fruits of their discovery to somebody who does value their labor instead. Even if that means selling the bug to unknown counterparties at auction and signing a forever NDA not to tell anybody else.
The first view is mostly what we teach students in Stanford's undergrad computer-ethics course and what I think is consistent with the rest of the literature on engineering ethics (and celebrated examples like Diane Hartley and William LeMessurier, etc.), but I do think it seems to be out-of-step with the prevailing view among contemporary vuln-finders. I'd love to find some reading where this is carefully discussed that we could assign students.
I can't imagine selling bugs to the highest bidder ever becoming ethically acceptable. You can't pretend not to know that the high bidder is probably a cybercriminal. If you do this, your hat is clearly black.
Once upon a time, vulnerabilities were just nuisances and people could justify some gray-hat casuistry when the damage was just some sysadmin overtime to clean up. But now there are serious organized crime rings and rogue nation-states using vulnerabilities to steal and extort billions and ruin people's lives.
It's OK to choose not to work on products with no bug bounties, but if you do find a bug in one you must disclose it responsibly.
The first view meets some sort of ideal (I guess) but causes all sorts of free riding problems. In larger society these sorts of problems are solved through regulations. For example if someone identifies a structural vulnerability in a bridge, the agency in charge of the bridge has a legal obligation to take steps to fix it. That sort of regulation doesn't exist in software land.
The second view as you describe it (selling to the highest bidder) is clearly black hat, but it is completely ethical for a researcher to disclose a vulnerability to the public if the vendor doesn't fix it in a reasonable amount of time. So Project Zero and this disclosure are both fine. Yes, ordinary users may be harmed in the crossfire, but the vendor should be liable for damages.
Beyond just a prevailing "view", this duty to public safety is actually explicitly codified in the laws and regulations of most professional engineering organizations. To act otherwise would be a) unethical and subsequently b) grounds for loss of license to practice.
I would say the 'first view' you've described is what the bulk of professionals in the information security industry would still espouse as the ideal.
In my opinion this second view you are observing is carried by a vocal minority of participants in bug bounty programs and would be good fodder for a computer-ethics course.
10 years is nothing on the scale of language development, and SV is nothing on the scale of the English-speaking world :) Fear not, I bet there aren't enough words to go around for this to be a big deal long-term.
> Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.
They seem to pay bug bounties if you agree to keep it down.
It's pretty well known in white hat circles that Zoom has a paid private bounty program through one of the "big 2". I know several who have got paid. Say what you like about non-disclosure, but it is the reality for most programs. We can disclose for pay, or disclose for fame, but usually not both.
It's ridiculous to install a constantly running web service that uses tricks to circumvent CORS protection and to get around Safari's protections, which were both rightly created to improve user's security.
It's not a "so-called vulnerability". As the article describes, this could be used in concert with another vulnerability to achieve RCE. Combining vulnerabilities is often how RCE is attained.
These actions undo the thoughtful work of information security professionals to protect users. It's astonishing to me that people can't see what's wrong here.
Jonathan pointed out something important on the chat last night. In many cases, the auto-join is a vulnerability it itself even if the video doesn't turn on.
It allows the attacker to potentially unmask your identity if you are logged into Zoom. When you join the call, you will show up in the participants list.
This is definitely something that you would not want to happen on various parts of the web. It kills your ability to browse privately.
> But insisting Zoom change the software because it's possible some doofus might be duped into joining a meeting with someone is kinda ridiculous, IMO.
In my experience (the energy sector), most of the people I interact with on Zoom would definitely fall for joining some random meeting that popped up. They are incredibly good at their field of expertise, but certainly doofuses when it comes to knowing how to click on things in zoom.
They already have you on video at that point. The summary above is very fair, there's no point trying to throw more PR at this problem. Ignoring other issues and focusing on the main point: They need to increase security by a huge amount by implementing a simple dialog with "Yes" not selected as default. They also need to communicate why they did this to their users and be honest.
If you qualify software that performs such a blatantly awful/wrong practice as fantastic, then you I'm afraid you need to redefine your views of what constitutes software.
This is a truly heinous design and should be lambasted as such
as demonstrated, "responsible disclosure" is a huge time waster for the discovery, and the price of this is undervalued even if the company had a clear bug bounty program.
its more valuable than 90-days of a developer's time, not even correlated to time at all really
I guess this depends on your definition of responsible. Something like this however is bad enough that users should be informed right away so that they can take steps necessary to secure themselves. Assuming they were responsive I'd have given them the 10 days to confirm it was an actual issue, but I'd have expected them to notify the pubic and their users of the issue and mitigation steps within a week.
> users should be informed right away so that they can take steps necessary to secure themselves
For the record, this could be accomplished by a trustworthy source announcing "there is a critical vulnerability in Zoom's macOS software and you should uninstall it immediately pending vendor response". Some researchers do this already -- Tavis Ormandy has, for example.
It's not a binary choice between no disclosure and releasing an unpatched PoC.
By the way, I'm not trying to argue that this researcher behaved unethically, just sharing another option. My usual take is that the researcher gets a lot of leeway for having to make a difficult decision and presumably trying their best to balance consequences, similarly to how a pilot trying to land an emergency plane has great discretion in how they do so.
It is mentioned in the third paragraph already, highlighted in green. They don't offer a method of clean removal to their users. They run a web server on your machine that will reinstall Zoom on your macOS whenever it is convenient for them (secretly, without asking you first).
Which isn't actually enough, since the surreptitiously installed server will happily go and reinstall the Zoom client for you whenever you load a zoom link, or a malicious link. You have to kill the server, and remove the ~/.zoomus directory as well. This is all pretty damning to be honest.
Just to be sure, I don't think that's enough. You might want to kill the running process and remove the binary (as described under "Quick Fix" section in the blog post)
The article’s actual title is: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
But, assuming I’m reading it correctly, the “maybe an RCE?” part seems like fear-mongering, because it would require that Zoom lose control of one of the domains that they trust for transparent client installs/upgrades.
I’m also a little concerned about how some parts of the article don’t match up. For example, the “UPDATE: June 7th, 2019:” does not have (as far as I can see) a matching entry in the Timeline. There is an entry for July 7, noting a regression; but there is an update the next day (July 8) noting that the regression has been fixed.
Dangling domains happen all the time. As long as the main one that's actually used is still controlled by the org, others can quite easily slip through the cracks, not renewed while still present in the codebase.
Indeed! It's not even a hypothetical in this case. According to the article, Zoom was just 5 days away from letting one of the domains expire when the author told them.
Zoom’s response to this[1] is a wonderful example of how not to respond to security issues. It includes the classic tropes:
* Our users don’t care about security.
> Our video-first platform is a key benefit to our users around the world, and our customers have told us that they choose Zoom for our frictionless video communications experience.
* We have no way of knowing if this has been exploited in the wild, so it’s probably fine
> Also of note, we have no indication that this has ever happened.
* Other products have the same vulnerability
> We are not alone among video conferencing providers in implementing this solution.
* We decided not to fix it
> Ultimately, Zoom decided not to change the application functionality
And also a lovely one I haven’t seen before:
* We tried to buy the researcher’s silence, but he refused
> Upon his initial communication to Zoom, the researcher asked whether Zoom provides bounties for security vulnerability submissions. Zoom invited the researcher to join our private paid bug bounty program, which he declined because of non-disclosure terms. It is common industry practice to require non-disclosure for private bug bounty programs.
1. https://blog.zoom.us/wordpress/2019/07/08/response-to-video-...
> Zoom invited the researcher to join our private paid bug bounty program, which he declined because of non-disclosure terms. It is common industry practice to require non-disclosure for private bug bounty programs.
Is an NDA really "common industry practice" for bug bounty programs? I know NDAs are common for pen-testing but it seems like an odd (and kind of dishonest) requirement for a bug bounty program.
Some kind of NDA terms are not unheard-of. Like a 1-3 month period in which to work on things during which disclosures won't go out.
That said, there's a slight disconnect between Zoom's two statements here. The first is that the researcher declined out of concerns over Zoom's NDA. The second is that NDAs are common. What this doesn't say is that Zoom's NDA is cookie-cutter or what the specific terms are.
If I were to guess, Zoom was using some unusual NDA and attempting to buy permanent silence.
4 replies →
Will they pay the rest of your team and your spouse as well? "I've already sent these results to a few colleagues around the world to test out, but don't worry, they won't disclose anything for 90 days".
Also, they seem almost entirely focused on "unwittingly joining a meeting" as the real problem here, ignoring the fact that they have made the extremely poor choice of exposing a dodgy control API on your mac to the entire internet. What are the odds there are no bugs in this shitty little HTTP server they snuck onto everyone's machine? The fact that they came within five days of losing control of one of the domains that has the power to install arbitrary code on every mac running this thing is absolutely insane, and they should be asking themselves 1) how that happened, and 2) how utterly screwed they would have been if they lost control of that domain.
In a more amusing alternate universe, someone discovered the zoomgov.com vulnerability, waited until it expired, snapped it up, then published an "update" that uninstalls zoom entirely. In a nastier one, they used this idiotic design flaw to pwn every zoom client machine out there.
It's exactly how you want to respond if you plan on sharing it publicly on Twitter in the hopes of fooling those not in tech.
If my mom stumbled into that article, she would likely think they perfectly explained everything (well... she would likely contact me but, still).
Given this news is already not sticking near the top of hacker news and barely reported elsewhere, it feels like they are already getting away with it for the most part.
Problem is, your mom is not in their market; their paying customers have paid IT people who do pay attention.
And hence Zoom just caved: https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-pa...
>> Ultimately, Zoom decided not to change the application functionality
Yeah "functionality".
> All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF. For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. > Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.
TBH, they're not as dismissive as you're sounding them to be
That part just doesn’t seem very responsive. Unless Zoom is recommending that everyone should turn it OFF, and urgently releasing a patch to make OFF the default, why does it matter that the vulnerability is in an optional feature rather than a mandatory one?
1 reply →
That is a pre-existing feature, and while it mitigates one specific aspect of the issue, it doesn't represent a security-focused response. Yes, I am saying that's not good enough: an appropriate, non-dismissive response would commit to writing code to deal with the issue raised, subject to the industry standard 90-day embargo. Depending on how much importance they place on their user's security.
Hi I'm the author, AMA
Or come hang out in the party chat!
Use the exploit to join: https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_ifram...
Stayed on that call for over 3 hours and I just have to say that it was one of the best experiences I've had on the internet in years.
People behaved pretty good considering it was a random public Zoom call (except for a few trolls, but nothing really bad).
It just felt like the internet of yore where random people would meet and chat and just be nice to each other.
Lots of interesting topics, people from all over the world, lots of surprised faces, random camera sights out the window, someone with a unicorn mask...
It was a blast. Thank you Jonathan for a great time!
Thanks for being cool!
I listened for a long time, learned a lot as well.
This made me think - is there any website that facilitates you to do such public conferences on zoom like clients. Basically a bunch of people who are interested in a certain topic could join and chime in - go from topic to topic. It could be a very healthy discussion. People could post and schedule meetings and essentially anyone who wants to learn could join. I do listen to podcasts often, but such meetings would be pretty different than podcasts. Does this already exist?
1 reply →
I didn't really participate, but yeah, it was a pretty entertaining happenstance gathering!
Interestingly, I implemented every mitigation listed in the article: kill the web server process, remove and add an empty directory at `~/.zoomus` to prevent it being re-added, remove Firefox's content type action for Zoom, and disable video turning on when Zoom launches. When I visit a Zoom join link or the POC link above, Firefox prompts me to open the Zoom client to join the meeting, and when I click "Open Link" the client opens just as it should and joins the meeting.
This seems to confirm that there is no functionality to create a seamless experience for the user that actually requires the presence of the web server. If you don't have the client installed the page can prompt you to download it the same as it would the very first time you download and install it. You can ask your browser to remember the link association and not be prompted for which app the link should open going forward. These are minor steps, even for a regular user, and ones with which most users are likely already familiar.
To me this further illustrates that the web server is truly just a ploy on Zoom's part to keep their hooks in users' systems, and have a way in that the user isn't privy to. Any other excuse they are giving about "enhanced experience" is dubious at best and deceitful at worst.
It seems the web server "is a workaround to a change introduced in Safari 12": https://news.ycombinator.com/item?id=20389668
> You can ask your browser to remember the link association
If that's true in Safari, then a web server is using dynamite to kill a fly.
If you want to see some part of this fixed, please UPVOTE this issue:
https://github.com/mozilla/standards-positions/issues/143
Have your checked for similar vulnerabilities in competing products such as GoToMeeting and WebEx? They have the same basic features.
RingCentral Meetings uses zoom.us engine but the local server runs on port 19424 instead. I'm able to replicate the issue on it.
PoC: http://localhost:19424/launch?action=join&confno=3535353535
6 replies →
bluejeans video installs a nasty daemon that runs at boot too. I'll never attend a bluejeans meeting again
5 replies →
> You can confirm this server is present by running lsof -i :19421 in your terminal.
Might be good to specify what the output would be if the vulnerability is present or not, like this:
"If the server is running on your machine, you'll get a line specifying which process is listening to that port. If the command returns empty, your machine is not vulnerable."
Huh, I'm on Windows and it auto-joined the meeting too, with video enabled. I wonder if this is because at some point in the past I opened a Zoom meeting and allowed Chrome to open the Zoom URI in the Zoom app?
We need "allow only for this session" (or tab) in the permissions popup bar.
Great chat, I think you were right when you said all vulnerabilities should have a video conference for Q&A after release. It was really helpful to get a better understanding of the platform and the threats facing it.
I asked Zoom support about this and they sent me to this page: https://blog.zoom.us/wordpress/2019/07/08/response-to-video-...
The key thing here is they think this is a fair trade-off because Safari asks if you want to open Zoom.
> This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
I do not believe that this is a fair trade-off given that any website can act on this locally installed server.
EDIT: I think they need to be made aware that this isn't acceptable. My reply to their support team: I do not believe this is a fair trade-off - allowing any arbitrary web site local control of privileged software installed on my machine - because Safari offers a security prompt (specifically so that any arbitrary web site does not gain control of privileged software on my machine). I will be switching ~/.zoomus/ZoomOpener.app off, and considering other options until it has been fixed.
I realised I had a paid account, so I've cancelled that too. And I've also reported them to Apple, after seeing that the ZoomOpener app reinstalls the client - which is completely and utterly unacceptable.
Yeah, this seems like it must violate some Apple TOS, right? The uninstaller leaves behind a local webserver, that can't possibly be allowed.
1 reply →
Yeah, when I read this, I said WAT.
How on earth does Apple allow this ? I'm not excusing Zoom, but this is Apples fault.
2 replies →
> I think they need to be made aware that this isn't acceptable.
Oh, definitely. I cancelled my subscription because of this, but I wonder if the reason will make it through the corporate fog.
What is worrying is that more and more companies think it is fine to install "helpers", "openers" and other cruft. I recently removed several, and I still have to use software that scares me sometimes (DYMO web printing, Brother web printing). This should not be considered OK.
> I wonder if the reason will make it through the corporate fog
I really doubt it. Given the change control policies of huge corps and how awful it is to get anything new/get rid of anything they'll just toe the zoom party line and keep it.
What a glorious response. “Your product is broken.” “We know, we did it on purpose, and we’re proud of it!”
Not on my machine. I uninstalled with AppCleaner, visited a Zoom link in Safari, and the software reinstalled and started without my interaction.
> This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine. I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely. Come to find out, it really hadn’t been implemented securely. Nor can I figure out a good way to do this that doesn’t require an additional bit of user interaction to be secure.
Does anybody understand (and have a moment to explain) why the author says this is difficult to do securely? macOS has a simple facility for handling custom URL schemes, so my impulse would be to have `https://zoom.us/j/492468757` do a server-side redirect to a URL like, say, `zoomus://492468757`, which would launch Zoom locally using the OS's built-in services. This wouldn't require a third-party daemon of any sort, and would just be a regular application that the user could trivially uninstall.
Is there a security hole there that I'm missing? Or have I misunderstood the author's point?
A custom URI wouldn't work as seamlessly as zoom's UX team would have liked. If you hadn't installed zoom, either a nasty message would tell you the protocol wasn't supported, or it would redirect you to a google search.
Their answer was to send people to a URL they controlled and brought you through the install process as easily as possible, but the issue they needed to solve was determining if you needed to have an install or just redirect to the app.
They broke so many security rules just to shave off a few inconvenient seconds, and those seconds rose them to the top.
Am I the only one seeing the pattern here. Most security loop holes I have witness have existed at the cost of providing a better user experience.
8 replies →
Ah, yeah, the flow for when the app isn’t installed makes particular sense (at least as a motivation for why someone would implement something so awful). Thanks!
14 replies →
> The UX team
You seem to imply that they have an UX team but not a security team, so nobody convinced anybody else that this wasn't a good idea.
Without genuine security orientation, even if an expert realizes there is a security problem, who wants to be the boring paranoid pessimist who wastes time and attempts to ruin products, only to be staved off by the efforts of more productive employees that focus on adding value?
4 replies →
I have some experience with this, you can use javascript on the https:// meeting link to detect if the app protocol (zoom:// or whatever) exists. If the app protocol exists then go straight to the app protocol link. If it doesn’t then prompt the user to download and install Zoom. The JS is a bit messy and requires a few different approaches but it works on all popular browsers on Windows and Mac (Linux support wasn’t needed, so not sure).
Of course, the browser will pop up a confirmation dialog to ask if you want to open the Zoom app but this is a feature not a bug.
Citrix Workspace does exactly this and it works fine
The basic problem is that you enter a meeting by loading a URL, and loading URLs is something any website can do. There probably needs to be a confirmation step before joining a meeting.
A custom URL scheme would at least provide an opportunity to confirm launching Zoom, even if Zoom itself didn’t confirm joining s particular meeting (which I agree it should).
They put this in place precisely to avoid Safari's "Do you want to open this in Zoom" confirmation prompt
Once you deleted the localhost server they have running, they actually fallback to using the protocol.
Yes, verified. Terminated and deleted ~/.zoomus, links to join Zoom calls still open, but I am prompted to open Zoom first.
i didn't see that. for me it just failed and to join a meeting now i need to open the zoom client and copy the meeting id manually. not a big deal for me, just wondering...
Can you reliably delete the server?
1 reply →
below down the post, zoom team said that this feat exists because Safari doesn’t have custom url scheme.
I've opened up Safari and it properly asks me if I want to open slack when using: slack://test
When I clicked the PoC link in Safari, it launched the Zoom app using a URL scheme. ("open in ...?" dialog put up by Safari)
Oh, yeah, I missed that. That’s patently false.
That’s just false. Safari opens custom URIs.
If Universal Links was supported on macOS we could get the best of both worlds.
The web server basically presents meta-data in a JSON-file (in the .well-known directory) which Safari/iOS uses to launch the app if it is installed, and otherwise just renders the webpage [0].
The app contains information about which domains it allows itself to be opened from which would fix this issue.
[0]:https://developer.apple.com/library/archive/documentation/Ge...
Universal Links will be supported on macOS Catalina. Reference: https://developer.apple.com/videos/play/wwdc2019/717/
Universal Links are better than their localhost webserver insanity, but don't really solve this. A malicious website can still redirect you to a zoom.us URL that will instantly join the meeting without confirmation.
The underlying problem is that they want a URL to join a conference call hosted by any random user and share your audio/video without confirmation. And it's simply not safe to trigger that kind of action from a URL.
1 reply →
> why the author says this is difficult to do securely? macOS has a simple facility for handling custom URL schemes
So does all other operating systems and this has been a thing for at least a couple of decades. This is not the problem.
The problem is that this feature is severely locked down in all modern browsers, precisely due to the security risks involved.
Relying on this feature in a critical user interaction path is a guaranteed way to get flooded with support-requests.
Disclaimer: have replaced custom protocol with other solution in end-user facing production projects.
Positively terrible... Kudos to this researcher. I liked Zoom when I used it a couple of times, but the reinstall “feature” is a huge violation of my trust. Software from the company behind it will not touch my system anymore. Too bad really, because properly working video chat is hard to find. The App Store model is not my favorite, but at times like these, a forced sandbox and inspection by a trusted third party start to look like the only way forward.
If you had a sandbox, you wouldn't even need anyone to inspect it - since all the app's files would be contained in one place, uninstalling it would remove everything, and there wouldn't be a way to leave a server behind.
This just in: Bad behavior is still bad behavior when it's possible to mitigate it on the user side.
Consider how many people use Zoom and don't even know that Hacker News exists.
1 reply →
What reinstall feature?
This "feature": https://apple.stackexchange.com/questions/358651/unable-to-c...
It silently reinstalls if you follow any Zoom meeting link.
1 reply →
In response to all of the well-deserved criticism, Zoom just made two updates to their blog post[1] to announce that they will be completely removing the webserver for all macOS users in a new release tonight, and also adding an option prompt going forward:
JULY 9 PATCH: The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following: 1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device. 2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
PLANNED JULY RELEASE: Additionally, we have a planned release this weekend (July 12) that will address another security concern: video on by default. With this release: 1. First-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. 2. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.
Edit: the new version is now released at https://zoom.us/download
[1]: https://blog.zoom.us/wordpress/2019/07/08/response-to-video-...
> Remove the local web server entirely
Thank goodness. Sanity has prevailed.
You know you've blown it when the following appears in a buzzfeed article about your software:
> open the application called, “Terminal.” Copy and paste this text: lsof -i :19421. Press enter. You’ll get a string of mumbo jumbo. Underneath the text “PID,” copy the string of numbers underneath. Then type “kill -9” (without the quotes), add a space after -9 and paste the PID string of numbers. Press enter. The server has been killed.
:D
Verified that the patch removes the web server.
What I'd really like to see now is them addressing the fact that their initial response to this was terrible, as if whoever was making the decision had no idea how bad this design was from a security standpoint.
1 reply →
> We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server.
Including the local web server that definitely doesn't exist anymore anyway after this patch?
I uninstalled it via their new patch, but it doesnt remove all files. I think its just caches and logs left but who knows. If you want to purge this malware with fire you still need to follow the instructions at https://apple.stackexchange.com/questions/358651/unable-to-c...
HIPAA provides an effective strategy for holding Zoom’s feet to the fire in cases like this. Since the company markets compliant video conferencing for healthcare professionals, they are classified as a Business Associate. It is quite likely that a well-written complaint on the HHS Office of Civil Rights site would result in further investigation and regulatory action.
software companies tend to be safe from this kind of thing (less everyday though). but they could lose their users
Only insofar as that people usually do not complain. I’ve worked with software clients on OCR investigations that were prompted by far less substantial complaints.
Not sure I follow the CORS angle. The linked stackoverflow question mostly seemed to be someone who was confused about how CORS works, and the issue in the Google Chrome tracker was closed as WontFix because they couldn't reproduce it and said it should work.
I'm nearly positive that CORS from localhost works OK. I set this up all the time for local development. For example, I run a client CRA app on localhost:3000 and an API on localhost:3001. The API sets the CORS headers and the CRA app can make requests to it.
If this is correct then I believe all Zoom needed to do is have their localhost application set CORS headers for their production domain. This would have allowed AJAX communication and only allowed it for Javascript running on their domain. Instead they did this totally hacky method that lets the whole world interact with the localhost server...
Maybe I missed something but if they could have done this the right way and didn't that is much worse IMO...
You're 100% correct, and while someone has pointed out the proper headers that need to be set on the bug report here: https://bugs.chromium.org/p/chromium/issues/detail?id=67743, it's been drowned out by people who don't seem to understand the issue:
http://williambert.online/2013/06/allow-cors-with-localhost-...
CORS is hard, I've struggled on it several times, and I'm not surprised an engineer gave up trying to fix it because of deadlines.
Can confirm, CORS (Origin: ramdomsite.tld to localhost) works just fine in Chrome.
If you have a CORS enable server on localhost you can make requests to it from http://www.test-cors.org
Am I right in thinking that CORS only applies to Javascript-initiated requests? This trick uses an embedded image to make the request.
That's correct, and part of my point. If they used CORS headers correctly it could both be secure and not require a crazy image hack.
The image hack seems like a lot of work to go through to make an app LESS secure.
7 replies →
I'm trying to think of the real-world implications and how this would play out.
Normally this would be pretty obvious, wouldn't it? Users would see Zoom open into some weird meeting, and close it.
Presuming the exploit cannot avoid bringing the Zoom app to the foreground when it joins the meeting and activates the camera/mic. If it can do that and stay in the background, all bets are off.
In spite of its obviousness, it's still pretty darn scary --
Scenario 1: malicious website/app opens link while you're sitting there.
You're sitting in front of your computer, you see Zoom open, you're like "WTF?!", close that shit, uninstall Zoom; hopefully discover how to permanently remove it (it otherwise leaves a localhost http server running that can reinstall itself).
But crap the hijackers have, even with a few seconds of video: your face, your surroundings, the audio of your surroundings, all of which can increasingly be fingerprinted. That alone is very scary. Just to be in an unintentional meeting for a moment is very disturbing. A violation of sorts.
Scenario 2: malicious website/app delays opening the link until some threshold of mouse/KB inactivity is reached.
Activate the Zoom link and hope the person is AFK. Spy on their home/office/whatever. Also a violation.
Are there other scenarios I am missing?
Personal note 1: I'm happy I switched to a Linux laptop after finding last year's MBPs disappointing (and the TB revolting; I have a physical escape key!).
Personal note 2: I do actually like Zoom a lot, it's an awesome video conferencing app. But this should be fixed for Mac users.
I wonder if this works in an electron app (like Slack maybe) displaying it?
Maybe you could intentionally send this link to someone shown as inactive on Slack, and have the WSlack webpage preview thing run enough javascript to pop open Zoom with the camera and mic running...
I'd test it myself, but I deleted Zoom and the sneaky localhost web server while I read the article...
It says that the server sends an image with certain dimensions back as an error code, so I wonder what you could do if you served some simple HTML that uses the local server as a meta tag that renders in the preview?
I imagine slack would do that on the client since it’s built on electron.
Unless it requires more than loading a URL.
> Activate the Zoom link and hope the person is AFK. Spy on their home/office/whatever. Also a violation.
I think this is the most likely scenario. There are ways you could potentially delay it (e.g. they leave a tab open and you don't open the link until a certain time)
Scenario 1 extended: Add this into an ad or a popover for a porn site and potentially capture some very compromising footage.
Scenario 3: Add it as a tracking pixel in an email.
I guess there are all kinds of scenarios since it's an unsecured API that responds with an image. You can trivially embed it in anything that renders HTML.
Scenario 3: You want to be a jerk and put someone into a meeting they weren’t in to get them in trouble.
Well, the company and product are dead to me now, gonna hassle our CTO to switch. I just really hope theres some dev at Zoom who hated this whole installing backdoors idea who's gonna have the greatest "I told you so" day at the office tomorrow.
We work with a lot of hospitals and find that video conferencing tools are often blocked by their IT departments for security reasons. I’m expecting Zoom to find itself on that list in short order.
Interesting to me that this would be your CTO’s decision.
Hes my direct report-to and has ears of everyone that matters, so its really just my decision of who to pester to get it up the chain.
“On Mac, if you have ever installed Zoom, there is a web server on your local machine running on port 19421.”
...
“All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running. This is still true today!”
This server is still running on my machine despite having "removed" Zoom a few months ago (macOS).
Guess I was a bit naive in thinking just trashing the .app and immediate artifacts in Library would do the trick.
EDIT: I missed the .zoomus directory in my home folder that had the culprit. Funny enough Zoom's instructions on how to uninstall the app on macOS just points to documentation from Apple and wikiHow (???) with standard methods that don't fully remove Zoom.
I'm sure Zoom intentionally failed to tell you how to remove the web server. After all, if it's still running, then it's just that much easier to reinstall Zoom on your machine.
I’m surprised more enterprise IT orgs haven’t flagged this behavior, or simply made it impossible via local machine policies that would prevent running a web server.
.../.zoomus/ZoomOpener.app/Contents/MacOS/ZoomOpener
Does anyone know how this web server starts itself after restarting your machine? As far as I know, a `~/.zoomus` directory can't restart a web server after your machine restarts.
It doesn't start on boot, it starts on login. It appears as a Login Item named ZoomOpener in your local user account in the System Preferences -> Users & Groups.
Additionally, when you launch the main application, it will check to see whether ZoomOpener is running. If not it will boot it up. The main app will install and register ZoomOpener as a Login Item if necessary.
I think it's because it runs on a port higher than 1024, so it doesn't need root privileges to start a web server on that port.
The most damning part of the conclusions:
> This being said, I also recommend that any researcher that finds a vulnerability in Zoom’s software does not directly report the vulnerability to Zoom. Instead, I recommend that researchers report these vulnerabilities via the Zero Day Initiative (ZDI). The ZDI disclosure program gives vendors 120 days to resolve the vulnerability, the ZDI will pay researchers for their work, and researchers have the ability to publicly disclose their findings.
On my Mac, I have uBlockOrigin installed in my browser and I have it configured to always block 3rdparty and 3rdparty frames and it prevents both the POCs completely.
I have one browser that I use for work email and video conference, where system grants access to camera/microphone to the browser and browser allows Google Meet to access camera.
I have another browser where system does not grant access to any of the devices - camera, microphone, USB etc - and I use that for web surfing.
And I strictly don't install any plugins for video calls. I have refused to join meetings where people try to make me install random binary software on my machine. There's always phone call for such situations.
I feel better about dedicated apps on iPhone where again I can install and grant permissions before the call and then uninstall the app completely. On iPhone I don't do any web surfing. I have Firefox Focus for occasional emergencies to open the unknown web.
Refusing to install software for video calls is a good policy. Also, having a throwaway workstation for such things (also Skype, which is spyware of the worst kind) is useful too, for when it’s a pre-sales call and security can’t outweigh closing a six+ figure deal.
and I am in the crowd of mac users who tape over their camera. when it comes to video conferences at most I have ever seen the desktop shared. what type of work do you do that uses the video for portions other than the presentation?
You weren't asking me, but I run into this same thing.
In my business -- project management software -- I'm in online meetings a LOT (say, 20 hours a week?) because everyone in my company is remote. We have never, ever used video. It just doesn't come up. Nobody wants it internally, and none of our customers ask for it in external meetings. I don't think any of them use it internally, either (and many of our customers are large, distributed organizations with offices all over the place).
This seems normal to me.
My neighbor is an IT VP for a health care concern. She travels a lot (30-40%), and when she's home she's in online meetings pretty much all the time. And in her company, video is ALWAYS included. I have no idea why, and neither does she; it's a cultural thing.
The upshot, though, is that I work in t-shirts and cargo shorts, and she has to be "office ready" even though she works at home. However, I will note that, if I run into her outside when she's walking the dog, it's not unusual to see her in a nice blouse, hair and makeup done, but wearing yoga pants or whatever. Which is its own kind of hilarious.
Sounds like false security thiugh- at least the camera has a light (which last I heard has been hardware level synced with the camera) so you know if someone's watching but what you have no control over is the microphone
1 reply →
Video meetings are so much more effective than audio meetings. I went from a company that always uses video to a company that rarely uses video and the difference is huge.
Often the most important parts of meetings are nonverbal.
> what type of work do you do that uses the video for portions other than the presentation?
My department (of 400 people) is split between two cities. I am regularly in meetings with people from the other city.
Google Meet is a big part of our culture. It helps with team cohesion and collaboration to actually see each other's faces when we meet.
It is of course not _required_ but I really believe it is better than just audio.
To ubermonkey's point, some of this can be a company culture thing.
Certain teams at my workplace use webcams all the time, others never. My team leverages them quite a bit, as our team is all over the world. It helped solidify our team members not just as random voices on a phone line, but as actual people who we will likely never meet in person.
HN part of the unknown web?
Another small thing (big for me) Zoom does is register their app as the handler for `tel:` links every time you launch it, with seemingly no way to disable that. Companies that make themselves the default for something on your machine by force are not to be trusted.
I’m not surprised they start a web server from under their users, and that their response to the vulnerability was lacklustre.
You might be able to remove this with https://github.com/Lord-Kamina/SwiftDefaultApps
I’ve opted to remove Zoom instead.
1 reply →
Why isn't zoom running fully in the web browser at this point? Meet does this, and as far as I can tell the quality is indistinguishable from Zoom. Can someone with a better understanding of the underlying protocols shed light on why Zoom continues to ship a separate desktop app?
They do have a web client, but not WebRTC. See this reverse engineering of their protocol: https://webrtchacks.com/zoom-avoids-using-webrtc/
TBH I don't really understand their rationale. Nothing about it strikes me as "better" than WebRTC.
To allow meeting participants to use the web client to connect to a meeting requires the meeting host to explicitly enable the option in their advanced settings (it is disabled by default).
"as far as I can tell the quality is indistinguishable from Zoom"
In my experience, the quality is similar to Meet when all parties have great internet connections. But if one or more parties has high/variable latency or packet loss, then Zoom provides a much more smooth experience.
You can do so much better using a native app than a webapp. UDP transport is really important for real-time communication.
Google meet uses UDP: https://support.google.com/a/answer/1279090?hl=en
WebRTC typically does use UDP. But it certainly isn't as flexible as what you can do with a native app.
What's meet? A web search turns up nothing.
Not related to zoom, but I'm working with a team which uses 'highfive'. I can't, for the life of me, get the downloaded desktop app to ever work. There's this perpetual dance of "you need to be logged in" and "register now" and "log in". I was thinking it was something to do with the VPN, but it seems to be the same on or off. However, grabbing the full URL and pasting in to Chrome, works like a champ. I'd prefer to use the desktop app, but I can only get the browser version to work.
Why is the web client (on Chrome, etc) so bad on Zoom ? I mean, people are building Google Earth on the browser .Its not just the bad video experience - even the product experience is seriously broken.
For example, the default audio setting when you sign in to the web video client is to connect using PHONE AUDIO. In case you figure out how to click the tab to use computer audio...it breaks down a couple of time in asking for browser permissions (camera, mic). It is unusually bad for something that is supposed to be that good.
there are all these articles about the comparisons - https://webrtchacks.com/zoom-avoids-using-webrtc/
https://bloggeek.me/webrtc-vs-zoom-video-quality/
hangouts still rules when it comes to web based video conferencing. And for countries with massive linux based usage (like India), Zoom is not a very viable option.
Jitsi Meet is also an excellent web-based video conferencing tool. They also have a basic comparison of WebRTC vs Zoom [0] which is actually has the same demonstration video as your second article. I posted a basic overview elsewhere in this thread [1], and I would strongly recommend it.
[0]: https://news.ycombinator.com/item?id=20390149
how does it work ? because we do larger conference calls with a distributed team of 40 people. As in - is there a paid plan, etc
also, does it work with mobile apps ?
1 reply →
The Zoom client on Linux used to (?) have a nasty command injection. The URL for joining a meeting got passed to some bash reinvocation (so they could set the library path if my memory serves me). A specially crafted URL could execute commands on the system. I haven't been too interested in using Zoom since seeing that.
I hadn't heard of this, so I looked it up, and you are right: https://www.exploit-db.com/exploits/43354
At least that was patched. These sorts of issues are frustrating, because as a Linux user I really want to like Zoom -- I appreciate that the treat all platforms pretty equal (Mac, Windows, Linux, Android, iOS) with native apps. That is a rarity.
For the longest time the Linux client would just crash randomly. It also tends to heat up your laptop and use all of your cores at 100% if you're looking at someone's screen.
Just run `strace -f zoom 2> wtf.zoom` to see all of the shit it does (looks like it is polling for events like crazy).
I tested the repro-steps and found that the ZoomHelper was not listening, although it was installed . In this case i was prompted to download zoom.pkg rather than activate video.
I'm guessing it was because I have MacOS firewall = strict (no listening ports)
Also, here's a nice tip to show all listening apps (good habit while cleaning up)
Zoom's official response to this issue: https://assets.zoom.us/docs/pdf/Zoom+Response+Video-On+Vulne...
Blog post too, which seems to be somewhat different: https://blog.zoom.us/wordpress/2019/07/08/response-to-video-...
From the article:
"To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files."
Does osx not have the fuser command? It lets you find and kill a process by its tcp port (also file handles) in one command.
On Linux I use something like 'fuser -k 19421/tcp' to kill server processes all the time. It is super useful when working with local dev servers etc!
It does, but unfortunately without the -k flag.
><img src="http://localhost:xxxxx/launch?action=join&confno=492468757"/...
So a browser allows a random remote website access to stuff running on the localhost interface? Is this a good idea? Stuff like camera access I can at least disable...
Yep. This[0] post[1] from a few months ago touched on this with more discussion.
[0] https://news.ycombinator.com/item?id=20028108
The browsers allows anything according to the CORS configuration on the target website. Perhaps it would be a good idea to prompt for access to localhost/127.* resources.
Hosting a web server on localhost is the equivalent of adding a backdoor on your customer's machines. How does a product team even reach this decision?
By being blind to the implications.
The most charitable interpretation of the Superhuman read-receipt problem is kinda the same thing: they had an idea, thought it was good, and then did some deeply shitty things to make it work. And nobody at Zoom or at Superhuman had the organizational power to stop it.
Do you know if this vulnerability might manifest in other ways, and permit remote participants to force you into sharing or viewing your screen silently?
One of the first times I'd ever used Zoom was in a call with a startup trying to pitch my company on something. The remote participant said something later in the call that was uncannily prescient and related to notes I had in a separate application window. I wrote it off as coincidence, but the phrasing used (and the fact that it was an answer to a question I hadn't asked) seemed nearly verbatim to my written notes.
I really wish physical switches that cut power to mics and cameras were standard on everything.
I know that would be change from how hardware works / is designed now but it also seems like the only reliable line of defense.
some computers have this e.g. raspberry pi
And the upcoming pinebook pro: comes with a hardware privacy switch for camera, microphones and bluetooth/wifi.
For those who aren't familiar with pinebooks, they're $99 arm-based linux laptops.
1 reply →
This is crazy, heres a video what happens after deleting and opening your URL. https://www.youtube.com/watch?v=DMY7Z9Fe0ic Before testing that I had the app itself removed months ago...
These meeting apps feel like the browser plugins of the 2000's. There are so many that do almost the same thing they now resort to seriously insecure methods to make sure you have theirs installed and never remove it.
Apparently one less click is a competitive advantage, whatever the cost.
I don’t get Mozilla and Chromium’s responses. I can think of few cases in which a website should be allowed to issue requests (CORS, img, or otherwise) to an address on the local network and none whatsoever in which a website should be able to contact localhost.
The fix seems straightforward. Require user permission to access the local network (subject to appropriate heuristics as to what “local” means). Require a config option and user permission to access localhost. Problem solved.
The problem with asking permission is dialog fatigue and similar.
As far as supporting local content: Historically a lot of terrible (read: Enterprise, H&R Block tax software, etc) apps are glorified webpages, coupled with a local server that provides things like FS access and malware installation. Those apps use a kludge of remote and localhost urls, and generally expect to work.
I suspect at this point though that browsers will just start going for the "no access to localhost" route as this practice is mercifully dying out (alas in favor of Electron apps shipping full, but out of date, browsers).
To me the bigger problem is: Zoom installed a server on a machine, without consent, with the ability to install software (without consent). Removing the browser's access to that service doesn't mean anything because an attacker can always just directly attack the server.
Even if the server locks connections to exclusively coming from localhost they've provided a service that can install and launch software, which can therefore be used as a sandbox escape - e.g a super constrained network service gets compromised - the idea is that service can't modify the filesystem or what have you, but now it can just connect to localhost and get a file written to disk.
People keep on complaining about apple "locking down the system", but its because of developers like Zoom that Apple needs to do this: and average user is not going to see this post, and Zoom has clearly decided that it is in their interests to leave a service running that can install software for them.
I hope that apple drops the XProtect hammer on the server binary, and the ban hammer on their signing cert.
Yes, but blocking browser access to localhost from non localhost pages would stop the attack by simply visiting a webpage.
It’s as much the fault of browsers for leaving the hole as Zoom for doing a shady job exploiting it.
Very disappointed at Mozilla for their meh response.
1 reply →
> The problem with asking permission is dialog fatigue and similar.
That’s why I suggested config option and permission. There’s no dialog fatigue if you never see the dialog.
That being said, there really ought to be a little menu of permissions that can be granted to a website such that the website cannot make it blink, flash, or otherwise draw attention to it. Crud like “allow push notifications” could go there. Granting push notification permission to a site is fine, but I don’t think sites should be able to ask for push notification permission.
1 reply →
How to protect yourself:
"Disable the ability for Zoom to turn on your webcam when joining a meeting."
It's under Settings->Video in Zoom, check "Turn off my video when joining a meeting".
What if you have uninstalled Zoom? It seems that it leaves a web server on your machine that will re-install Zoom if it receives a request to join a meeting.
Really? That’s nuts. Makes you appreciate the iOS app model a bit more.
Everything sandboxed, delete an app and all traces of it are gone.
3 replies →
The whole reinstallation thing freaked me out, since I did try Zoom a while back, but apparently my own uninstall process kept the reinstallation hack at bay.
By this I mean:
I have no local web server running on 19421; and
Your link doesn't launch or reinstall anything for me.
Now, something I do that most people probably don't is periodically check StartupItems as well as the LaunchAgents and LaunchDaemons folders, so I can remove anything left over.
I do not mean to trivialize this problem, because what Zoom has done here is egregious and unforgivable, BUT is it accurate to say that the reinstall behavior depends on
1, usage of Chrome and 2, the presence of a StartupItem / LaunchAgent / LaunchDaemon?
I ask because it didn't work for me, even though I still had the ~/.zoomus shit in place (obvs, I don't anymore).
I just want to make sure I understand it properly, and that I've taken the necessary steps to prevent Zoom's unwelcome return.
I use uMatrix, and I've seen localhost show up as a domain a site tried to connect to quite a few times. I never gave it too much thought since I block all non-first-party resources by default anyway, but I now realise it could indicate the use of tricks like this to attempt to communicate with some other process running on my computer. I'll now make sure to look closer whenever I see this. I bet Zoom isn't the only one doing things like this.
> Our users don’t care about security.
They're not wrong. Empirically, users explicitly preferred Zoom because it lacked the "ask the user" step before starting a session. Less security is a user visible advantage.
Same problem Microsoft faced when it added "UAC" in Vista. Admittedly the implementation might not have been the best from a usability perspective but I think any attempt at implementing proper privilege management in Windows would have had many users complaining and not seeing the point.
I guess the lesson here is not to give your users bad habits for the sake of convenience otherwise it'll backfire if you ever want to do things right later. MS had everybody run as root for decades before they finally decided that it might not be such a great idea after all, and then they had to face annoyed users and bad publicity.
That being said I can't really imagine how having a non-intrusive "do you want to start the call" dialog before initiating the call can be considered a deal breaker. I assume you could even reduce that annoyance further by adding a "don't ask me again for this website/user/whatever" checkbox. Do you really think that would hurt Zoom significantly? I've never used their product so I can't really form an educated opinion.
This is especially stupid because I have no doubt that now that it's been made public some people will abuse the vulnerability, if only for fun.
It wasn't bad habits, up to Windows XP which introduced user separation on consumer oriented Windows (NT and 2K were meant for businesses and businesses who had networked PCs were really meant to use those) all personal computers were fully controlled by their users without any notion of privilege separation - this is a behavior that traces its lineage back to the original Altair 8800. Computers weren't networked and those who were were either running a different OS (NT, Unix, whatever) and/or controlled entirely by a single entity (a company). Or just didn't care and used Windows 9x.
And honestly i do not think it is bad habit even today. UAC is intrusive, the main reason you do not see it as much as at the past is because applications nowadays work around it: see how Chrome or even VS Code saves the executable files for their updates to your %APPDATA% folder (where normally regular data are going) to avoid the UAC annoyance of going through Program Files (which makes the UAC protection pointless) or how app stores like Steam change the permissions to "everything allowed" to be able to modify the folder contents.
People are using computers to do specific tasks they want to do, anything else is an annoyance and something they'll want to avoid.
Today's security issues come from things a lot of developers and companies simply do not want to acknowledge: trying to put everything online, connect all computers together, trying to have everything controlled by whoever writes the applications users use (putting everything online is a way to do that), trying to come up with monetization schemes where users pay nothing out of their own pockets, trying to make users pay subscriptions instead of one-off fees (the excuse is often that they have to somehow keep their servers going, willfully ignoring that the developers/companies are those who decided to make something run on a server in the first place and that by doing that they are the ones in control).
A lot of security issues would be gone if computers weren't so connected to each other. Sadly i do not see that happening any time soon since no developer wants to give up that sort of control (some developers nowadays do not even know how it is to not have it) and no company wants to get rid of the biggest excuse they have to ask for continuous payments.
Personal computers back in the 80s and 90s were very insecure, but that didn't matter because they weren't so connected as they are today. It isn't surprising that pretty much all famous security issues of the time (like the ILOVEYOU worm) happened exactly as that connectivity started getting widespread.
I think the only hope there is is that the IoT craze will blow up everyone's collective faces and realize that it might not be such a good idea to connect everything after all. Sadly the more cynical side of me thinks that what will happen instead is the introduction of more draconian user hostile measures which end up with the users losing every more control to big companies that control their devices and OSes in the name of security and usability (more like dumbability) and any voice against that would be marginalized as "you are a power user, you do not matter" (ok princess, then what are power users supposed to use after you lock down everything? - i guess the answer is somewhere between "expensive licensed workstations" and "nothing, now piss off").
17 replies →
> Do you really think that would hurt Zoom significantly?
Zoom is a publicly-traded company now, so I am sure that adoption through convenience trumps a lot of other concerns.
They’re not incorrect. They are, however, wrong to think that users not caring about security means they don’t have to care either. Product makers have a duty of care beyond what their customers have.
> Less security is a user visible advantage.
No, less friction is a user-visible advantage, less security isn't user-visible, for most users, until sometime after the vulnerabilities exposed thereby are exploited and, when it becomes user-visible, is very much not considered an advantage.
Also, most users of zoom are job applicants - so theyre more likely to care less abt security because they really need to be in that interview session.
This is not even remotely true. We use at everyday at my workplace (Education) - thousands and thousands of employees as well as students . All of our contemporary peer institutions do the same.
Might I suggest: https://www.obdev.at/products/microsnitch/index.html
It probably helps if I explain what I linked...
Micro Snitch is a small MacOS toolbar application which runs in the background looking for system calls made to the camera or the microphone. It visually indicates when either are being used and logs the activity to a file for future review.
Do people who understand networking better than I do (i.e., almost everyone) want to explain how to universally prevent this localhost garbage? Like, some kind of firewall, combined with a simple command line trigger to open up a port when I actually want to? There's gotta be an open-source firewall for this kind of thing, right?
The notion that some random app can just spin up a server on localhost without my permission is completely insane. Also, this is why Gatekeeper, and the App Store "walled garden" are good---nothing should get the kind of permissions necessary to run a fucking localhost server that can reinstall a deleted app w/o user interaction!!
> The notion that some random app can just spin up a server on localhost without my permission is completely insane.
As far as I know any desktop app (userland code) can listen on a non-privileged port without permissions, on any desktop OS.
I’ve seen a few programs (like R) run web servers to provide documentation (although, the server only ran temporarily).
Even if you have the camera disabled (and I never gave camera permissions to zoom to begin with), it will still join a random stranger's meeting, which will leak your name (or whatever name you have configured). This may be important for some.
yup, shocked me when i noticed. changed the name and unchecked the 'remember name' feature. but it turns out that unchecking that will prefill the user account name, and next time the remember name feature is checked again. so that the only two choices are: either remember the name used last, or, if you uncheck it, have it fill in the account name.
Zoom’s UX has always come off as invasive. An application default that allows hosts to enable automatic camera join is an overstep, and the lengths they go to facilitate this while ignoring long standing, industry standard appsec guidelines to prevent XSS is relatively unsurprising yet hopefully not inconsequential to their enterprise customers.
Allowing the host to unmute participants is pretty invasive too. First time someone did that to me I was floored.
> Apr 10, 2019 — Vulnerability disclosed to Chromium security team.
> Apr 19, 2019 — Vulnerability disclosed to Mozilla FireFox security team.
Does anyone have any idea why there was a 9 day delay between disclosure to Chromium and Firefox teams?
I guess he reported to Chrome first because that’s what everybody uses, found their answer (or lack of answer) unsatisfactory, and then went to report to Firefox.
Here is how I fixed the problem for myself temporarily:
1. Quit Zoom.
2. Kill the ZoomOpener process.
3. cd ~; mv .zoomus/ .zoomus.off/
4. mkdir .zoomus && sudo chown root .zoomus; sudo chmod 600 .zoomus
Now, the Safari permission prompt will show up every time you click on a Zoom link.
It should be pointed that an empty directory (even if owned by root) placed in your home directory can still be deleted by you, without requiring root. You need to place a file into the directory.
Or if you want something drastic, run
as root. This will make sure that not even root can delete it.
That is actually true, just tested it. There is always something new to learn!
1 reply →
This worked for me...
In order to verify that the opener was running, I ran the following command.
ps aux | grep zoom
To kill the opener I ran the following.
killall zoom
Then I followed the rest of the instructions above to create a locked down version of the directory. You could also create a file called .zoomus instead (similar to the suggestions made farther down this comment thread).
UPDATE no need to do this any more. Zoom actually conceded they were wrong and pushed out an update that removes the local webserver: https://imgur.com/gallery/INvYaH4 (from the discussion below in the thread).
It appears that two of Zoom's competitors, Blue Jeans and Webex, also use web servers on localhost:
https://twitter.com/anthonypjshaw/status/1148470933901864960
Has anyone torn down recent-era Macbooks to see if the camera LED is still hardwired to the camera power and a reliable indicator that can't be software disabled?
I don't know what you mean by "still". Apparently it was software disable-able up to the 2011 mbps.
That's so terrible. Ugh.
I have Zoom installed on my Ubuntu 16.04 and its also vulnerable.
https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_ifram...
This is even crazier, because a webpage could load the iframe or img tag lazily, long after the page has been opened and is in the background because the user left the tab open, and the user would have no way of knowing which page is responsible for opening Zoom.
Furthermore, in Chrome, the webpage can set a timeout which brings the browser window back into focus. So for example, if Zoom usually takes about 1 second to open, then the browser could set the timeout for 1100ms, so that zoom is only visible to the user for a split second before it's backgrounded with their camera enabled. Either of the following will bring Chrome back to the foreground:
The latter is a little less of an alert to the user that something has happened, since it could be used to reload the current page without the offending image or iframe tag, which would look to the user like the page just randomly reloaded itself.
If you do this audio-only there isn’t a telltale LED on the camera to give away that you are doing it. I’m way more worried about audio bugging than a webcam (which really only has the user’s face)
That's a hard problem to solve. An audio alert that the microphone has turned on would obviously be rejected by consumers, unless maybe some fancy processing were used to remove that alert sound from the recording. But even so, an audio alert would presumably only play once while the indicator light remains illuminated the entire time.
On the other hand while an indicator light is good for the camera, it's not sufficient for audio. If the computer is facing away from me, then the camera can't see me so my inability to see the camera light isn't that huge of a deal. But audio goes around corners so I could be recorded by a computer not immediately in eyesight.
If there were some reasonable third sensory channel to available for "out of band" communication, that would be ideal. But consumers will reject smell-alerts.
id much rather the zoom conference can't do anything unless I let it
A hacker could turn the light on and off before you even knew what to do about it. All they need is a picture of your face to do something nefarious.
This feels material, which is why I’m surprised there’s 0 movement in their stock price after hours. Why do you think that is?
Stock markets very rarely care about security, unless it's somehow front page news.
Investors would care if they thought Zoom’s customers cared enough to switch. I personally think this is terrible, but investors don’t seem to think Zoom’s customers care enough to change to a competitor, which makes me second guess whether or not this is actually a big deal to large customers.
1 reply →
Tavis Ormandy joked about buying those dips because of this and I really don't think either of you are wrong and I might start doing it myself.
If a company’s stock drops after a major vulnerability, you should buy. Equifax exposed everyone’s financial data and their stock is back above their pre-breach price.
Can’t Zoom add their own simple prompt to the local server which gets confirmation from the user that they want to join the meeting? Just one more click and not “nasty”.
It could even be 4 different Join buttons:
- Video & Audio
- Video Only
- Audio Only
- No Video or Audio
Without the local webserver, they fall back to Safari's URL handler, which asks whether or not you wan't to start the application in question.
They went through a lot of trouble to implement this ridiculous solution to avoid the kind of thing you describe.
Which is why they're doubling down on not fixing it.
I mean _with_ their local webserver, can they implement their own, simple confirmation of some kind?
2 replies →
No amount of security features can rival a small piece of black tape over the camera.
It also makes crypto-phishing (you've been recorded doing X, pay Y BTC) much harder to fall for. Where software could (and eventually will) be compromised, the attacker would have to physically access the machine to remove that tape.
One assumes that this activates the green camera light? It's not perfect but I can't imagine not noticing that it had come on.
Not that it helps if you're, ahem, in the middle of something when the nefarious 3rd party opens the line.
AFAIK the light is controlled by the camera's firmware. So unless someone is able to hack that, the light will always turn on with the camera. That said, even Zuckerberg has sticky tape over his camera.
Most of the affected users won’t be able to uninstall the Zoom client in a clean way:
https://apple.stackexchange.com/questions/358651/unable-to-c...
I could not get rid of the client in my process list for weeks and regretted installing it.
I will try the fix mentioned at the end of the article now (first killing the webserver).
They will have a hard time regaining users trust.
Just this morning we were on a Skype for Business call which, predictably, was a hot mess. We mentioned Zoom. I was on their home page. I was this close [ ... ] to installing it.
Now? I hope you're reading, Zoom. No chance now.
The bash script shown in Edit 2 and in the gist linked in the comment are guaranteed to wipe out unrelated files.
I'd be really happy to see:
a) Apple removing Zoom from the App Store (at least for a fixed amount of time before they patch* this nightmare up), b) releasing an update to MacOS that breaks Zoom's server completely (I know, I'm asking for too much here).
*talking about patching is a bit exaggeration here because this is not a bug this is a fucking trojan disguised as conferencing app, I'd truly truly block them from App Store for that, as a fellow developer I'm writing this with heavy heart but the incompetency of Zooms developers is enormous here, CEO can say anything he want but I'm pretty much sure it's impossible he was not aware of the fact how the core of his product works. It's not even unethical, you really have to have no imagination to do something like this.
Also - there's a different issue - Macs seem to be pretty solid when it comes to security but looks like ANY installer can just spin up web severs on our machines and we won't even know? I'm just a simple developer, not a devops, how can I prevent this in happening in the future? If they did it once they will do it again. And if not them then someone else. Any hints? Should I scan my ports every morning and see what can go through every single one of them?
It's been a while since I've been a Mac user but I used to use an app called 'Little Snitch' which would notify you about outbound traffic, perhaps it has a mode that can do something similar.
Why isn't the Windows client vulnerable? What have they/Microsoft done differently?
Safari asks you if you want to open an app that owns a URL scheme to prevent webpages from automatically triggering behavior you might not want.
Zoom decided they know better than the Safari team and decided to install this local webserver specifically to bypass the operating system's security policies, supposedly because "it is their key differentiator" or whatever.
Basically their product managers decided they wanted it to work a certain way and demanded someone do whatever nasty hacks were necessary to make it happen.
It turns out their nasty hack doesn't set the proper CORS policy so any random webpage can force you to join a meeting.
It also turns out they don't do what mac apps are supposed to do: keep this crap inside the app bundle so dragging the app to the trash effectively uninstalls everything. Instead they install to ~/.zoomus, don't document that fact, and if you hit a zoom link after "uninstalling" they automatically reinstall themselves.
Oh and they let the registration for one of their domains expire and nearly lost control of it, which would make this a RCE because their client doesn't do anything to validate their update packages as far as anyone can tell.
I think that about covers it?
you forgot one more thing: they don't distribute their crap as a regular self-contained .app, they give you a .pkg which asks for elevated privileges during installation (this is why I don't have it installed)
3 replies →
Those little tricks to make things easier is why it's popular and why they're currently valued at $25,000,000,000 (though that should go down quite a bit tomorrow, still just an insane number for a company with $8m in annual profits).
Does this work in the Tor browser to launch the zoom client and expose your identity?
edited: after some research it is clear that this would work in the Tor browser. So if you are logged into Zoom using your real ID a malicious Tor site could launch the client and harvest your name. And if you are only using the browser bundle (and not routing all traffic through Tor) Zoom and/or Zoom+government could use this to expose the real IP of tor users.
"Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day."
So... what's the best way to really really uninstall Zoom client from our Mac?
It's mentioned in the article. After uninstalling the main application, you also have to kill the helper app named ZoomOpener. The article gives some Terminal commands to do this, but you should be able to find it in Activity Monitor if your more comfortable there. Once you kill ZoomOpener, remove it from the list of Login Items in System Preferences -> Users & Groups. Lastly delete the folder called .zoomus from your home directory. You can do this in Finder, but it'll be hidden by default, so you'll have to use Go -> Go to Folder... or some other trick to expose it.
Now go explain that to the folks in Marketing.
1 reply →
I would highly recommend visiting the proof-of-concept link, which is a Zoom videoconference hosted by the author full of people testing it out.
The first time I installed Zoom, I opened up a pkg (an Installer package) and Installer said this package wanted to run a script to determine whether or not it can be installed. Usually this is for checking system version or some other harmless action. But for Zoom, this script immediately installed Zoom itself. I immediately thought something fishy was going on.
Ok here's the thing. Open Google Hangouts, or any other website that asks for permission to use your webcam, then close the tab. Go to terminal check if VDCAssistant is running using `lsof | grep -i VDC` it returns that it is running. I've had this issue since 2015 so I'm glad someone is talking about this now.. Is it just me?
That seems like an OS daemon specific to the built in webcam.
https://www.cnet.com/how-to/fix-no-connected-camera-error-on...
> When you run a program that uses your Mac's webcam, OS X will launch a background process called VDCAssistant, which manages the connection and control of the camera. While this process should quit when the program stops using the camera, it may persist if an error occurs, and prevent future connections to the camera, either by the same program or by others.
What’s the issue? That VDCAssistant keeps running for a bit?
> Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
A workaround to legitimate Safari security improvements.
I hope the Wall Street Journal and CNBC skewer this company and shred the stock price.
Zoom is why my shiny 27" Retina iMac is decorated with a small square of black electrical tape.
It always makes me wonder why people keep tape on camera sensor but don't care about microphones. Maybe I'm wrong but I think things you and other people around say can be of more value to the attacker than what you do or how you look like.
I choose white for mine! It matches better I think. :)
Apologies in advance if someone has already commented about this, but it would appear that Zoom removed that local web server feature for the MacOS version a few days ago:
---
Current Release July 9, 2019 Version 4.4.53932.0709
New and Enhanced Features
-General Features
--Option to uninstall Zoom Zoom users can now uninstall the Zoom application and all of its components through the settings menu.
-Resolved Issues
--Removal of the local web server Zoom will be discontinuing the use of a local web server on Mac and will be completely removed from the Zoom installation. --Minor Bug Fixes (https://support.zoom.us/hc/en-us/articles/201361963-New-Upda...)
> [UPDATE 2:35 pm PT, Tuesday 7/9] The July 9 patch to the Zoom app on Mac devices detailed below is now live. You may see a pop-up in Zoom to update your client, download it at zoom.us/download, or check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.
--
Looks like Zoom have decided to remove the Web Server from MAC and pushed out an update directly to the clients (before this, you couldn't get the Zoom Client to check for updates automatically) - The popup appeared post meeting.
https://imgur.com/gallery/INvYaH4
Btw Zoom is also reinstalling itself one minute after uninstalling it. Made a video of it here: https://news.ycombinator.com/item?id=20390755
The sad thing is that Zoom will probably get away with not fixing this, or fixing it much later than they should.
If you look on Twitter, anyone that has complained about this (huge) vulnerability is being redirected back to their blog post.
To make things worse, most non-technical users that have caught onto these posts are replying to say "thanks for sorting it out!"
This wouldn't be the first time a company sweeps a data leak or vulnerability under the rug. I remember when the Panera Bread stuff kicked off, and all they had to do was bury their head in the sand and wait for the storm to pass. There's currently a lawsuit in progress, but will that happen for a vulnerability like this?
I always thought it was paranoid to keep tape over your webcam, but this makes a pretty good case for doing that as a last line of defense.
I also want to express my complete disbelief that Zoom basically installed a back door on all its users' machines. It's hard to imagine a competent engineer not understanding the security implications of building something like this. I have no special security expertise, so when I see an exploit that I can actually understand it scares the living daylights out of me. In this case just about anyone with a web page can trigger this Zoom vulnerability.
In this day and age, I wish Apple and other laptop manufacturers had a hardwired power switch on the camera.
Does anyone know of any working alternatives? We use Zoom a lot, it has the most hideous UI and the worst UX but so far it's been the only video platform that reliably works with tens and hundreds of attendees.
Jitsi Meet [0] is the simplest video conferencing solution that I have ever come across. To use it you go the website (or the mobile app) and that's it.
You have a free, private, end-to-end encrypted, efficient, multi-participant video chat which allows screen sharing and shared document editing. It works on every modern browser, you don't need to create an account, and you don't need to install an app (except maybe on mobile OS's). It's open-source and you can run your own server.
[0]: https://meet.jit.si/
appear.in has worked well for me in the past.
It looks like RingCentral phone / meeting service may be tied up in this also.
FTA, one step to clean this up is:
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;
RingCentral and Zoom have a multiyear partnership.
https://www.ringcentral.com/whyringcentral/company/pressrele...
Searching my Macbook using to see if I have this on my machine using lsof, I found that I did not have it. But there is a suspicious "Adobe Desktop Service" listening on localhost:15292. I wonder what sort of fun things that would enable a random website to run on my machine. I don't even use Abode products, willingly, on this machine. Though I probably have installed at least one in the past.
I'm no infosec expert, If I wanted to figure out more about what this process was up to, how would I go about it?
One thing they were right about was this being "Standard Practice". Even spotify is doing it https://twitter.com/braintube/status/1148645026936827905.
So how does one remove these from their machine ? I can kill the process but it will just start again when I restart the machine. Also how do they do this ? I thought all startup items will be shown under Login Items in System Preferences.
Sooo... this is still vulnerable?!
Yes. Try this link from the article to see it in action if you have (or had) Zoom installed: https://jlleitschuh.org/zoom_vulnerability_poc/
WARNING, this will open a video chat with random strangers, and will turn your webcam on. Consider yourself warned!
If you want to test it without using your real webcam, I recommend CamTwist [1]. The author is in the group video call now. I joined for a short minute, and was relieved to see that my real webcam wasn't being used.
Normally I use CamTwist so I can write subtitles on top of my video feed when chatting with my gran. It seems it's also a good layer of extra security!
[1] http://camtwiststudio.com/
WARNING, this will open a video chat with random strangers, and will turn your webcam on. Consider yourself warned!
Amusingly enough, this actually exists as a product:
https://en.wikipedia.org/wiki/Omegle
(Edit: just noticed it's already been around for over 10 years. That's rather amazing.)
HOLLY SH*T! This is insane.
Personally, I do not think so.
I did a test with myself and a coworker. I’m using macOS 10.12; he’s using 10.14. We both have up-to-date Zoom clients.
In our Zoom clients, we both already had the “Turn off my video when joining a meeting” box checked.
I set up a meeting, with participant video set to On, as the article describes. I took the new Meeting ID, launched Zoom, and joined my new meeting. I then sent my coworker the join URL using Slack.
My coworker clicked on the link, which opened the URL in Safari. Safari asked my coworker if he wanted to launch Zoom. My coworker confirmed that yes, he wanted to launch Zoom.
My coworker’s Zoom client did _not_ automatically start video. I never saw video come in from him.
> In our Zoom clients, we both already had the “Turn off my video when joining a meeting” box checked.
I believe this is one of the mitigations, which is why it didn’t work.
4 replies →
I just received this message prompting me to "Update now."
Release notes of 4.4.53932.0709:
## Remove local web server
- We are discontinuing the use of a local web server on Mac devices. Following the update, the local web server will be completely removed from the Zoom installation Option to uninstall Zoom
- Zoom users can now uninstall the Zoom desktop application and all of its components through the settings menu
I just got an update! Good job Jonathan Leitschuh!
Release notes of 4.4.53932.0709:
Remove local web server
-We are discontinuing the use of a local web server on Mac devices. Following the update, the local web server will be completely removed from the Zoom installation Option to uninstall Zoom
-Zoom users can now uninstall the Zoom desktop application and all of its components through the settings menu
Huge kudos to the author for finding this security hole, reporting it responsibly, and then posting such a clear writeup.
Here's a small script you can run to mitigate the issues described in the article: https://gist.github.com/notmyname/824db39350e3d39496de2ea930...
How do you recommend uninstalling this?
From the article:
> To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files.
> To prevent this server from being restored after updates you can execute the following in your terminal:
rm -rf ~/.zoomus
touch ~/.zoomus
note the last part where the directory is removed (~/.zoomus) and touch creates a file ~/.zoomus. I am assuming a re-install will fail because it cannot create a directory again when there is already an existing file.
My guess is that if sometime in the future you want to use zoom again, the install will fail until you remove the file ~/.zoom
I did this: 1. killed by process name, and zoom app will 2. fail to start its opener and 3. fail to reinstall it:
4 replies →
Not sure why he didn't just give us
6 replies →
macOS and iOS both support custom schemes, and have done forever. What feature does Zoom actually want?
Not having to cede control of the experience to the system, presumably.
Not having to cede control to the user. If the user wanted/wants your software they know how to install software at this point. They also have a much better mental model of what that means.
Yeah. That's why I bought a webcam cover. I highly recommend if you don't have one already.
It looks like it can also happen if you simply open an HTML email with Apple Mail: https://twitter.com/funjon/status/1148464952480374784
This is thoroughly disappointing, given that Zoom is among the few popular conferencing programs that aren't complete garbage for Linux users. Thankfully the Linux client doesn't appear to be affected AFAICT, but this is trust-shattering nonetheless.
Is anyone noticing that port `19421` no longer has anything listening on it? We are noticing some machines suddenly stop listening on this port but they have not downloaded any update. In zoom patching the running web server without user interaction?
They reversed course a couple of hours ago: https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-pa...
The odd thing is we are seeing this on clients that have not updated. So in this something they are controlling remotely?=
Surprised something of this magnitude seems to have 0 impact on stock price after hours.
It is not possible to hack these:
https://www.amazon.com/HTR-WCB1-Web-Camera-Blocker/dp/B00595...
They responded not to fix it which is unusual
https://blog.firosolutions.com/exploits/zoomtozero/
A few of our team had the Zoom app installed, but no-one had a running webserver on that port. None had used the app in a long time though.
Was this maybe added in a recent version, and perhaps they just haven't updated?
https://twitter.com/FiloSottile/status/1148587616243204096
I'm surprised that Mac doesn't have a built-in firewall that warns if an app installs something that listens on a port. They advertise OSX as being "secure by design."
The built-in firewall does exactly that. It may not do that for things that only listen on localhost, though.
FYI: I was able to reproduce the issue with the Linux client as well.
Why don't people just use the web based Zoom client? I do this exclusively, have done so for a few months now.
One of the main features of a browser is to provide a secure runtime.
There's a web client?
I'd guess the reason is that, if you don't have any of the native apps installed, and you click a Zoom meeting link, the browser will download the native client installer. There's no mention at all on the download page that there is a web client.
My job requires me to use zoom for communications – is there anyway I can run zoom in a container or something, so that when I kill the app all traces of it are gone?
Note that the server persists after the app is removed, so there’s that as well.
Follow on: What are they talking about regarding custom url handlers? That’s a standard OS X feature...
Ok, so the article says
"According to the Zoom team, the only reason this localhost server continues to exist is that Apple’s Safari doesn’t support URI handlers."
Which is simply wrong. macOS (and i*OS) have supported custom URIs forever. What feature are they wanting? Do they want random websites to be able to install URI handlers?
They want to be able to re-install zoom for the user even if they have deleted it from /Applications.
GoToMeeting and Zoom are two things I always insist not to use. There are perfectly acceptable online-only counterparts that don't need to infect my computer.
I'm curious what your objection is to GTM. I've been using it for a decade and have really come to see it as the only reliable option for us.
Its installs are not incremental. How many versions of GTM are currently installed on your computer? Last time I cleaned it up, I had six.
Would be interesting to see a list of software that installs a local server (http or otherwise) and whether or not it typically runs in the background on startup.
This is ridiculous. I am cancelling my Zoom subscription.
What blows my mind the most about all of this is how such a successful company has managed to engineer such a shitty solution to this very common problem. I’m not even speaking from a security standpoint (which is a catastrophe) but this feels like some holier than though neckbeard wanting to literally reinvent the wheel on everything. Encoding enum’s as images served from a local web server with various pixel widths??? You can’t make this up. I never liked their UX and now I guess I don’t like what’s under the hood either. Good riddance.
Have been using Zoom for the last three yeara and I have recommended it to a lot of people.
Seeing how they handled this accident I will never recommend them again.
Messing up your decoding for weird unicode characters in your text message app is an accident, but this one wasn't an accident.
The title is click-baity. What it allows is a website to automatically join you into a meeting with the camera enabled and without you asking. So it's annoying, but it doesn't let a website secretly grab your video without you knowing.
The reason webrtc has permissions per site is because webrtc can indeed grab your video without you realising, so it's important to give each site permission to use your camera. This isn't the case with zoom...it pops up a massive window when you enter the meeting.
I don't even know why laptops have cameras. Do you really need to see someone for a conversation? Mine's permanently taped.
Blown out of proportion. A real vulnerability I wish was handled more seriously. But at the same time, even after I “fixed” the vulnerability, my preference in Chrome to always open links for zoom, with zoom, made it nonsense. The problem is with lax browser security and CORS as a product “feature”.
It is worth underscoring that the only reason this vulnerability exists is because Safari forced appropriate prompts? Zoom hacked around it, and got away with it. That’s on browsers to fix.
brew zap formula[0] worked for me to uninstall the listener..
brew update && brew cask zap -f zoomus
[0]: https://github.com/Homebrew/homebrew-cask/blob/master/Casks/...
I added this to my uBlock Origin filters and it has fixed it:
If you must use Zoom and you use GNU/Linux, run it under firejail.
With firejail you can sandbox anything.
Nothing can beat piece of duct tape
I know it's said in jest but the trusty screwdriver lays itself in a lot more permanent solution.
If you want to be taken seriously, don't include these dumb images in your post.
Zoom allow iframing the join page as well? Why are they not seeing X-Frame-Options‽
Luckily I use Pi Hole I just Blacklisted zoom.us and zipow.com
What about Audio? Can this be used to exploit that as well?
Long live the App Store - developers, customers, Apple.
If you're interested in seeing if you're vulnerable to this, visit this website: http://zoomzeroday.com
...no thanks. The author already mentions links you can use to check literally no reason to advertise this unless you, OP, are being malicious and/or didn't read the actual article.
I did read the article, and I don't have malicious intent. I was just trying to make a more easily sharable URL for people trying to test if they are vulnerable. I include links to the medium article and an update that there is now an update released to fix this web server issue.
I've lost all trust in Zoom
Might also affect Discord
It's pretty convenient for Zoom that this occurs after the IPO.
just came to say: lol
Jesus Christ
Note: "Zoom" is a videoconfrerencing app, not a built-in Mac OS accessibility feature for "zoom".
The article does not clearly state this, ceding a plain English word to a corporation, enabling a takeover of human language.
P.S.: This part
> Apr 26, 2019 — Video call with Mozilla and Zoom Security Teams
is funny, and would be way funnier if it was an non-consensual video call.
Finally, note that Zoom effectively does not pay for bug bounties, so researchers should think twice about donating their expertise to a selfish for-profit corporation, and users should think twice about using a videochat product that allows its entire security team to take blackout vacations, and also doesn't pay its outsourced sercurity researchers.
Finally, note that Zoom effectively does not pay for bug bounties, so researchers should think twice about donating their expertise to a selfish for-profit corporation
I've read this a few times and am curious if this has really become the prevailing view about what security researchers are doing (i.e., uncompensated labor) when they notify vendors about security vulnerabilities.
The traditional view (which I think was widespread in the 90s or whatever) was that engineers who find vulnerabilities in products have a special responsibility to the public, and owe a duty to the people at risk: the users of the product (or whoever would be harmed if the vulnerability were exploited to malicious ends). Just like if you used your training as an engineer to discover that the Bay Bridge had a structural flaw and that drivers were at risk (or, in the case of Diane Hartley, that the new Citicorp Center had a design flaw and officeworkers were at risk). And this duty can be discharged a few ways, but often the most efficient way to help the people at risk is to educate the vendor and keep on their ass until they fix the problem in a free update. If the vendor pays you, fantastic, but you shouldn't accept payment that would prevent you from discharging your duty to the people actually harmed by the vulnerability's existence (e.g., if you take the vendor's money and it comes with an indefinite NDA, and they never fix the problem and the users remain at risk of being harmed by bad actors forever, you have not behaved acceptably as an engineer). This view probably emerged at a time when bug-finders mostly had salaried jobs and were privileged not to have to depend on payments from the same vendors they were annoying with information on their product's flaws.
A newer view (probably informed by bug bounties, etc., and also a broader community of people doing this stuff) seems to "no more free bugs for software vendors" -- that researchers who find vulnerabilities in commercial products are producing knowledge that's of value to the vendor, and the vendor ought to give them compensation for it, and if the vendor doesn't want to do that, the researcher would basically just be doing uncompensated labor to give it to the vendor, and is free to go sell the fruits of their discovery to somebody who does value their labor instead. Even if that means selling the bug to unknown counterparties at auction and signing a forever NDA not to tell anybody else.
The first view is mostly what we teach students in Stanford's undergrad computer-ethics course and what I think is consistent with the rest of the literature on engineering ethics (and celebrated examples like Diane Hartley and William LeMessurier, etc.), but I do think it seems to be out-of-step with the prevailing view among contemporary vuln-finders. I'd love to find some reading where this is carefully discussed that we could assign students.
I can't imagine selling bugs to the highest bidder ever becoming ethically acceptable. You can't pretend not to know that the high bidder is probably a cybercriminal. If you do this, your hat is clearly black.
Once upon a time, vulnerabilities were just nuisances and people could justify some gray-hat casuistry when the damage was just some sysadmin overtime to clean up. But now there are serious organized crime rings and rogue nation-states using vulnerabilities to steal and extort billions and ruin people's lives.
It's OK to choose not to work on products with no bug bounties, but if you do find a bug in one you must disclose it responsibly.
1 reply →
The first view meets some sort of ideal (I guess) but causes all sorts of free riding problems. In larger society these sorts of problems are solved through regulations. For example if someone identifies a structural vulnerability in a bridge, the agency in charge of the bridge has a legal obligation to take steps to fix it. That sort of regulation doesn't exist in software land.
The second view as you describe it (selling to the highest bidder) is clearly black hat, but it is completely ethical for a researcher to disclose a vulnerability to the public if the vendor doesn't fix it in a reasonable amount of time. So Project Zero and this disclosure are both fine. Yes, ordinary users may be harmed in the crossfire, but the vendor should be liable for damages.
Beyond just a prevailing "view", this duty to public safety is actually explicitly codified in the laws and regulations of most professional engineering organizations. To act otherwise would be a) unethical and subsequently b) grounds for loss of license to practice.
1 reply →
I would say the 'first view' you've described is what the bulk of professionals in the information security industry would still espouse as the ideal.
In my opinion this second view you are observing is carried by a vocal minority of participants in bug bounty programs and would be good fodder for a computer-ethics course.
They’re donating their expertise because, yes, this research is extremely valuable and important, but the vendor should obviously be paying for it.
I feel like selling bugs to the highest bidder is usually ethically questionable, no matter how “new” your viewpoint is.
>The article does not clearly state this, ceding a plain English word to a corporation, enabling a takeover of human language.
The English language can handle it:
proper noun
- A noun belonging to the class of words used as names for unique individuals, events, or places.
- A noun denoting a particular person, place, organization, ship, animal, event, or other individual entity.
- A noun that denotes a particular thing; usually capitalized
>The article does not clearly state this, ceding a plain English word to a corporation, enabling a takeover of human language.
I agree with your outrage, but you have a long way to go. That sort of behavior is the soup du jour of SV the past ten years or so.
Keep fighting the good fight. I've given up, but I hope you win.
10 years is nothing on the scale of language development, and SV is nothing on the scale of the English-speaking world :) Fear not, I bet there aren't enough words to go around for this to be a big deal long-term.
> Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.
They seem to pay bug bounties if you agree to keep it down.
that's not a bug bounty, that's reputation management
1 reply →
> The article does not clearly state this, ceding a plain English word to a corporation, enabling a takeover of human language.
English usually wins.
It's pretty well known in white hat circles that Zoom has a paid private bounty program through one of the "big 2". I know several who have got paid. Say what you like about non-disclosure, but it is the reality for most programs. We can disclose for pay, or disclose for fame, but usually not both.
I've lost all trust in Zoom at this point
(prior reply deleted once I read about the fucking local webserver & phantom reinstallation bullshit. Fuck zoom.)
It's ridiculous to install a constantly running web service that uses tricks to circumvent CORS protection and to get around Safari's protections, which were both rightly created to improve user's security.
It's not a "so-called vulnerability". As the article describes, this could be used in concert with another vulnerability to achieve RCE. Combining vulnerabilities is often how RCE is attained.
These actions undo the thoughtful work of information security professionals to protect users. It's astonishing to me that people can't see what's wrong here.
12 replies →
Jonathan pointed out something important on the chat last night. In many cases, the auto-join is a vulnerability it itself even if the video doesn't turn on.
It allows the attacker to potentially unmask your identity if you are logged into Zoom. When you join the call, you will show up in the participants list.
This is definitely something that you would not want to happen on various parts of the web. It kills your ability to browse privately.
> But insisting Zoom change the software because it's possible some doofus might be duped into joining a meeting with someone is kinda ridiculous, IMO.
In my experience (the energy sector), most of the people I interact with on Zoom would definitely fall for joining some random meeting that popped up. They are incredibly good at their field of expertise, but certainly doofuses when it comes to knowing how to click on things in zoom.
> the Zoom client starts up. It'd be hard to miss
They already have you on video at that point. The summary above is very fair, there's no point trying to throw more PR at this problem. Ignoring other issues and focusing on the main point: They need to increase security by a huge amount by implementing a simple dialog with "Yes" not selected as default. They also need to communicate why they did this to their users and be honest.
And WebEx and Bluejeans, too?
It's a fantastic piece of software I use daily, so I'm inclined to give them the benefit of the doubt before joining an internet pitchfork mob.
If you qualify software that performs such a blatantly awful/wrong practice as fantastic, then you I'm afraid you need to redefine your views of what constitutes software.
This is a truly heinous design and should be lambasted as such
as demonstrated, "responsible disclosure" is a huge time waster for the discovery, and the price of this is undervalued even if the company had a clear bug bounty program.
its more valuable than 90-days of a developer's time, not even correlated to time at all really
I guess this depends on your definition of responsible. Something like this however is bad enough that users should be informed right away so that they can take steps necessary to secure themselves. Assuming they were responsive I'd have given them the 10 days to confirm it was an actual issue, but I'd have expected them to notify the pubic and their users of the issue and mitigation steps within a week.
> users should be informed right away so that they can take steps necessary to secure themselves
For the record, this could be accomplished by a trustworthy source announcing "there is a critical vulnerability in Zoom's macOS software and you should uninstall it immediately pending vendor response". Some researchers do this already -- Tavis Ormandy has, for example.
It's not a binary choice between no disclosure and releasing an unpatched PoC.
By the way, I'm not trying to argue that this researcher behaved unethically, just sharing another option. My usual take is that the researcher gets a lot of leeway for having to make a difficult decision and presumably trying their best to balance consequences, similarly to how a pilot trying to land an emergency plane has great discretion in how they do so.
3 replies →
https://arazilatop.blogspot.com/2019/07/thadaka-2-full-movie...
Click on the app icon, hold, move to Trash.
It is mentioned in the third paragraph already, highlighted in green. They don't offer a method of clean removal to their users. They run a web server on your machine that will reinstall Zoom on your macOS whenever it is convenient for them (secretly, without asking you first).
See here: https://apple.stackexchange.com/questions/358651/unable-to-c...
That web server is exploitable, as explained in the article.
Note that most Zoom users (probably lots of business people) won't be capable of following the uninstall steps necessary at the moment..
Now, notwithstanding what I posted above, THIS is fucked up and inexcusable.
I do NOT appear to have the web server running, but I did have the ~/.zoomus folder and the ZoomOpener app there.
Is this because I'm scrupulous about killing LaunchAgents and LaunchDaemons?
2 replies →
Which isn't actually enough, since the surreptitiously installed server will happily go and reinstall the Zoom client for you whenever you load a zoom link, or a malicious link. You have to kill the server, and remove the ~/.zoomus directory as well. This is all pretty damning to be honest.
I would have loved to be a fly on the wall of the meetings where that policy was designed and approved.
Did no one at all speak up and say "hey, running secret webservers on obscure ports without telling the user is shady stuff"?
Just to be sure, I don't think that's enough. You might want to kill the running process and remove the binary (as described under "Quick Fix" section in the blog post)
Leaves behind an exploitable web server on localhost
Not an option if your employer uses Zoom for all of its internal and customer-facing meetings.
... and delete the webserver from the background
The article’s actual title is: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
But, assuming I’m reading it correctly, the “maybe an RCE?” part seems like fear-mongering, because it would require that Zoom lose control of one of the domains that they trust for transparent client installs/upgrades.
I’m also a little concerned about how some parts of the article don’t match up. For example, the “UPDATE: June 7th, 2019:” does not have (as far as I can see) a matching entry in the Timeline. There is an entry for July 7, noting a regression; but there is an update the next day (July 8) noting that the regression has been fixed.
Dangling domains happen all the time. As long as the main one that's actually used is still controlled by the org, others can quite easily slip through the cracks, not renewed while still present in the codebase.
Indeed! It's not even a hypothetical in this case. According to the article, Zoom was just 5 days away from letting one of the domains expire when the author told them.