Comment by seandougall
6 years ago
> This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine. I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely. Come to find out, it really hadn’t been implemented securely. Nor can I figure out a good way to do this that doesn’t require an additional bit of user interaction to be secure.
Does anybody understand (and have a moment to explain) why the author says this is difficult to do securely? macOS has a simple facility for handling custom URL schemes, so my impulse would be to have `https://zoom.us/j/492468757` do a server-side redirect to a URL like, say, `zoomus://492468757`, which would launch Zoom locally using the OS's built-in services. This wouldn't require a third-party daemon of any sort, and would just be a regular application that the user could trivially uninstall.
Is there a security hole there that I'm missing? Or have I misunderstood the author's point?
A custom URI wouldn't work as seamlessly as zoom's UX team would have liked. If you hadn't installed zoom, either a nasty message would tell you the protocol wasn't supported, or it would redirect you to a google search.
Their answer was to send people to a URL they controlled and brought you through the install process as easily as possible, but the issue they needed to solve was determining if you needed to have an install or just redirect to the app.
They broke so many security rules just to shave off a few inconvenient seconds, and those seconds rose them to the top.
Am I the only one seeing the pattern here. Most security loop holes I have witness have existed at the cost of providing a better user experience.
This is the security - usability tradeoff and is as old as the hills.
6 replies →
This is the pattern of applications continuing to be deeply flawed and heavily advertised as long as you can be bought for a billion by IBM/Microsoft/Google/Facebook/TechOverlorfOfTheYear and finally get into a stable enough state so that they can be part of the infrastructure when a full-features open source version emerges.
Ah, yeah, the flow for when the app isn’t installed makes particular sense (at least as a motivation for why someone would implement something so awful). Thanks!
If you want to really break down their viewpoint on the situation, lets translate their PR statement line by line:
> Zoom believes in giving our customers the power to choose how they want to Zoom.
Zoom believes if their app isn't convenient to use, their customers have the power to leave their ass, as they are in an incredibly competitive market.
> This includes whether they want a seamless experience in joining a meeting with microphone and video automatically enabled, or if they want to manually enable these input devices after joining a meeting.
This includes making sure that they aren't asked to provide confirmation to access their camera/microphone, which impedes the convenience of the app to all participants. Less clicks equals less thinking.
> Such configuration options are available in the Zoom Meeting client audio and video settings.
Stop complaining about this as we have given ourselves a legally compelling user defined control hidden in a single tab deep within our preferences.
> However, we also recognize the desire by some customers to have a confirmation dialog before joining a meeting.
We can tell you aren't going to drop this.
> Based on your recommendations and feature requests from other customers, the Zoomteam [sic] is evaluating options for such a feature, as well as additional account level controls over user input device settings. We will be sure to keep you informed of our plans in this regard.
We don't care. We have lots of users, and lots of success having this option turned on by default. The support costs alone telling non-technical people how to turn on their cameras don't make it worth it.
13 replies →
> The UX team
You seem to imply that they have an UX team but not a security team, so nobody convinced anybody else that this wasn't a good idea.
Without genuine security orientation, even if an expert realizes there is a security problem, who wants to be the boring paranoid pessimist who wastes time and attempts to ruin products, only to be staved off by the efforts of more productive employees that focus on adding value?
A sustainable company isn't built on velocity, lack of conflict, and willful ignorance.
Decisions need to be made between strong opinions about the right path forward. There needs to be balance and respect between these aspects.
Reading the PR statement, I highly doubt the people who have those strong opinions about security are being given a fair voice. They are probably there, but they have zero power to change anything within their product.
2 replies →
The article indicates they have a "Security engineer" who was OOO when the author first contacted Zoom.
So yeah, sounds like one human, and it sounds like she/he probably doesn't have much say.
I have some experience with this, you can use javascript on the https:// meeting link to detect if the app protocol (zoom:// or whatever) exists. If the app protocol exists then go straight to the app protocol link. If it doesn’t then prompt the user to download and install Zoom. The JS is a bit messy and requires a few different approaches but it works on all popular browsers on Windows and Mac (Linux support wasn’t needed, so not sure).
Of course, the browser will pop up a confirmation dialog to ask if you want to open the Zoom app but this is a feature not a bug.
Citrix Workspace does exactly this and it works fine
The basic problem is that you enter a meeting by loading a URL, and loading URLs is something any website can do. There probably needs to be a confirmation step before joining a meeting.
A custom URL scheme would at least provide an opportunity to confirm launching Zoom, even if Zoom itself didn’t confirm joining s particular meeting (which I agree it should).
They put this in place precisely to avoid Safari's "Do you want to open this in Zoom" confirmation prompt
Once you deleted the localhost server they have running, they actually fallback to using the protocol.
Yes, verified. Terminated and deleted ~/.zoomus, links to join Zoom calls still open, but I am prompted to open Zoom first.
i didn't see that. for me it just failed and to join a meeting now i need to open the zoom client and copy the meeting id manually. not a big deal for me, just wondering...
Can you reliably delete the server?
Yes, you just need to
The opener is the only thing in that directory.
below down the post, zoom team said that this feat exists because Safari doesn’t have custom url scheme.
I've opened up Safari and it properly asks me if I want to open slack when using: slack://test
When I clicked the PoC link in Safari, it launched the Zoom app using a URL scheme. ("open in ...?" dialog put up by Safari)
Oh, yeah, I missed that. That’s patently false.
That’s just false. Safari opens custom URIs.
If Universal Links was supported on macOS we could get the best of both worlds.
The web server basically presents meta-data in a JSON-file (in the .well-known directory) which Safari/iOS uses to launch the app if it is installed, and otherwise just renders the webpage [0].
The app contains information about which domains it allows itself to be opened from which would fix this issue.
[0]:https://developer.apple.com/library/archive/documentation/Ge...
Universal Links will be supported on macOS Catalina. Reference: https://developer.apple.com/videos/play/wwdc2019/717/
Universal Links are better than their localhost webserver insanity, but don't really solve this. A malicious website can still redirect you to a zoom.us URL that will instantly join the meeting without confirmation.
The underlying problem is that they want a URL to join a conference call hosted by any random user and share your audio/video without confirmation. And it's simply not safe to trigger that kind of action from a URL.
Yes, I agree that's the underlying problem. Regardless of how the URL is opened it shouldn't behave that way.
However, I do think that Universal Links doesn't work with redirects, consider: https://bit.ly/30oxOdO vs https://twitter.com/ycombinator (tap using Safari on iOS with Twitter installed).
EDIT: Turns out I was misinformed...
> why the author says this is difficult to do securely? macOS has a simple facility for handling custom URL schemes
So does all other operating systems and this has been a thing for at least a couple of decades. This is not the problem.
The problem is that this feature is severely locked down in all modern browsers, precisely due to the security risks involved.
Relying on this feature in a critical user interaction path is a guaranteed way to get flooded with support-requests.
Disclaimer: have replaced custom protocol with other solution in end-user facing production projects.