A serious security flaw in the Mac version of conferencing software Zoom can hijack webcams, but also leave users vulnerable to phishing and DOS attacks.
The flaw takes advantage of Zoom's click-to-join feature. The exploit can force users to join a conference with their webcams enabled, without their permission, if they click a special link in their browser.
The security issue occurs because Zoom installs a local web server that runs in the background on Macs. But this web server has poor security, and any website that a user visits can interact with it and make changes to users' machines. Worryingly, even if a user uninstalls Zoom, the web server remains active and can be used to reinstall the Zoom client when a user visits a webpage.
Security researcher Jonathan Leitschuh, who discovered and reported the vulnerability, warned that this could be used for two types of attacks: users could be lured into meetings with their cameras turned on, in order to gather information for phishing attacks, or users' machines could be the target of Denial of Service (DOS) attacks by sending repeated junk requests to the local server.
Traditionally, desktop and web applications are sandboxed to prevent this kind of cross-communication. When Zoom was made aware of the security issue, it released a quick fix solution which saved users' settings for whether video is enabled when they join a call, so users can at least have their cameras off by default. However, the fix did not address the underlying issue of the insecure local web server.
The company defended its decision in a blog post, saying that without the use of the web server, users would have to click to confirm they wanted to start the Zoom client before joining a meeting. "The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings." It also noted that it has no indication that the exploit has never been used, and even if it were to be used, users would see they had unintentionally joined a meeting and could leave immediately.
Whether the convenience of not having to click one extra button is worth the huge security issue created by the insecure web server is not a topic Zoom is keen to debate. In a statement to Gizmodo, the company said "one-click-to-join meetings" were its "key product differentiator" and it has not announced any plans to address the insecure web server issue.