Zoom headquarters

Flaw in Video Conferencing App Could Have Given Hackers Immediate Access to Webcam Feeds

The company, Zoom, is now taking action to update its software after a security researcher discovered several serious security vulnerabilities in the popular video chat app.

  • By Haley Samsel
  • Jul 10, 2019

A security vulnerability in a popular video conferencing app could have allowed hackers access to users’ webcam video feeds, according to the findings of software engineer and researcher Jonathan Leitschuh. In the wake of complaints from its customers, the company, Zoom, is now acting to address the security issues.

The popular video conferencing application for businesses boasts at least 40 million customers and is well known for offering a simple user experience. All you have to do is download the Zoom app to a laptop, click the meeting URL and watch as the application immediately opens and joins the call.

The seamless technology that makes Zoom so attractive to users is also the reason it could be easily hacked, particularly on Apple computers. In a Medium post laying out his research, Leitschuh wrote that he was drawn to look into the app because he was curious about how the functionality was implemented securely.

“Come to find out, it really hadn’t been implemented securely,” Leitschuh wrote. “Nor can I figure out a good way to do this that doesn’t require an additional bit of user interaction to be secure.”

Leitschuh found that the app sets up a local web server on every Mac that allows call URLS to automatically launch the application, bypassing any pop-up windows asking the user to confirm they want to open Zoom. (This feature is not so easy with Windows, but users can check a box to permanently dismiss the warnings and start video chats immediately, WIRED magazine reported).

But by going around the pop-ups, users were not given a valuable tool to deny access to their webcam feeds. As Leitschuh found, an attacker could set up a malicious call, trick users into clicking the link and immediately have access to their video feeds.

He also found that attackers could wage a denial of service (DoS) attack against Apple computers by using a malicious link to barrage the computer with call requests. The company fixed this issue in a May patch.

In addition, Leitschuh was disturbed by the fact that the Zoom local web server was not deleted from Macs even if the user deleted the Zoom application, allowing it to be easily redownloaded automatically if someone clicked a malicious meeting link.

Once he discovered these vulnerabilities, Leitschuh notified Zoom’s security team and gave them 90 days to fix the problems, offering a “quick fix” and suggestions for long-term solutions. He said he was frustrated by the team’s slow response and disagreements over the potential security risks of preserving the functionality of the app.

“An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack,” Leitschuh wrote.

Since then, Leitschuh and other researchers have spoken with Zoom’s CEO, and the company has taken action to address the problems. Though the company maintained that it has “no indication” that a hacker ever carried out an attack similar to those described by Leitschuh, Zoom issued a patch Tuesday night that removes the local web server from Mac computers and adds an option to manually uninstall the app, including the local server.

The company is also planning another major update for later this week that will allow first-time and returning users to turn off the function that automatically gives access to their video feeds. In addition, Zoom will make it easier for researchers like Leitschuh to submit their security concerns through a “public vulnerability disclosure program” to be launched in the next several weeks.

For security experts, the episode was an example of how local web servers can pose a variety of risks for users.

“This is just one of many examples where locally running HTTP servers can vastly undermine security,” said Craig Young, a computer security researcher for Tripwire’s Vulnerability and Exposure Research Team. “The problem, at its core, is that Zoom allows for control via HTTP requests and HTTP requests can be forged from the browser by any web site a victim opens.”

Featured

  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • New Research Shows a Continuing Increase in Ransomware Victims

    GuidePoint Security recently announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q1 2024 Ransomware Report. In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals. Read Now

  • OpenAI's GPT-4 Is Capable of Autonomously Exploiting Zero-Day Vulnerabilities

    According to a new study from four computer scientists at the University of Illinois Urbana-Champaign, OpenAI’s paid chatbot, GPT-4, is capable of autonomously exploiting zero-day vulnerabilities without any human assistance. Read Now

  • Getting in Someone’s Face

    There was a time, not so long ago, when the tradeshow industry must have thought COVID-19 might wipe out face-to-face meetings. It sure seemed that way about three years ago. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3