A security researcher has discovered a vulnerability in the popular Zoom application
Scrolling throw social media one of the people behind Firo Solutions
found a really interesting blog post written by Jonathan Leitschuh and this is our exploit of the day.
Affecting:
- Zoom Client
- RingCentral
Summary:
A vulnerability has been released in a popular video and sound meeting application called Zoom. The Vulnerability allows a third party to start a video meeting without the permission of the end user. This could lead to someone spying on you without approval. What is required is that a malicious zoom link is opened on the end users computer/smart-phone.
Zoom
Zoom is a very popular multi platform(Linux/Apple Mac/IOS/Android/Windows) proprietary software used for voice and video meetings. The USA company behind zoom is named Zoom Video Communications
Proof of concept:
https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
<body>
<h4>Normally this iFrame would not be visible</h4>
<p>I've left the iFrame visible as a demonstration.</p>
<p>To truly obscure which site is launching you into the call, an attacker site may even do so lazily after you've been on the site for a while.</p>
<iframe src="https://zoom.us/j/492468757"/>
</body>
By hosting a similar piece of html on site will allow a user to auto join a zoom meeting [b]without any user interaction[/b].
In firefox the [u]zoommtg://[/u]
CVE’s:
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on
macOS, remote attackers can force a user to join a video call with
the video camera active.
This occurs because any web site can interact with the Zoom web
server on localhost port 19421 or 19424.
NOTE: a machine remains vulnerable if the Zoom Client was installed
in the past and then uninstalled.
Blocking exploitation requires additional
steps, such as the ZDisableVideo preference and/or killing
the web server, deleting the ~/.zoomus directory, and
creating a ~/.zoomus plain file.
In the Zoom Client before 4.4.2 on macOS, remote attackers
can cause a denial of service (continual focus grabs) via
a sequence of invalid launch?action=join&confno= requests
to localhost port 19421.
Zoom.us responded to this research with the following
This week, a researcher published an article raising concerns about our video experience. His concern is that if an attacker is able to trick a target Zoom user into clicking a web link to the attacker’s Zoom meeting ID URL, the target user could unknowingly join the attacker’s Zoom meeting. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed. Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened.
Our Security and Engineering teams engaged the researcher and were in frequent contact over the subsequent period. This engagement included disagreement about the severity of the meeting join concern. [b] Ultimately, Zoom decided not to change the application functionality[/b], though as mentioned above, we will be saving the user’s desired camera settings after a Zoom user joins their first meeting from a particular device. Link to answer
External links:
Jonathan Leitschuh’s Medium post
Statement from zoom.us
Alex Willmer twitter statement
Hacker News
Stay up to date with Vulnerability Management and build cool things with our API
