Zoom reverses course, removes local web server
Application Security , Governance and Risk Management , Next Generation Technologies and Secure Development
Controversial design decision could allow ambush video call
Jeremy Kirk (jeremy_kirk) •
July 10, 2019
Editor’s note: see the latest update on this story.
See also: Live Webinar | OT Cybersecurity Strategies for Executives
Video conferencing provider Zoom has chosen to make major changes to its Mac application after a security researcher found several weaknesses in it.
Jonathan Leitschuh, 25, a software engineer at Gradle in the Boston area, investigated how Zoom’s client software automatically opens on a Mac after someone clicks a meeting link in a browser window.
He discovered that it would be possible with a line of code inserted in an iframe on a web page to trigger the launch of Zoom’s client. Visiting this page would push a person into a conference call — and, depending on how a person had configured their Zoom settings, with their video camera on.
Zoom, which had 40 million users in 2015, went public on April 18.
Leitschuh reported security concerns to Zoom on March 26. He and the company had been communicating regularly since then, but disagreed on the seriousness of some of his findings. The two sides appear to have reached a truce, with Zoom pledging to abide by Leitschuh’s security recommendations.
“There was definitely some friction in terms of characterizing the vulnerability,” Zoom CISO Richard Farley told Information Security Media Group.
Public disclosure creates pressure
Leitschuh opted out of Zoom’s private bug bounty program. The terms of the deal reportedly required him not to disclose the bugs even after Zoom fixed them.
Instead, the researcher went public with his findings in a blog on Monday, which put public pressure on Zoom to make changes. Leitschuh says he told Zoom he plans to go public after a 90-day disclosure period, warning that the consequences of releasing his findings could be painful for the company.
Public disclosure of vulnerabilities, however, can lead to changes that might not have happened otherwise, Leitschuh told ISMG. “Some security teams just don’t have the authority to make changes on the inside,” he says.
One of Leitschuh’s most alarming findings is that Zoom installs a local web server as part of its app. Even if Zoom is uninstalled, that local web server remains listening on port 19421. If someone then clicks on a Zoom meeting link, the local web server reinstalls Zoom, the researcher explains.
The revelation drew surprise and criticism, including from Jake Williams, a former operator of the National Security Agency’s Custom Access Operations Unit and founder of Rendition Infosec, a security consultancy in Atlanta. . He tweeted:
Yesterday I said it looks like Zoom doesn’t have an SDLC. Part of SDLC is threat modeling. Zoom had 90 days to reassess whether an unauthenticated web server was a good idea. They held that line. Now they are backing down. No one in security said “it’s fine” – so no SDLC. 1/3 https://t.co/wt9Tn0idgQ
—Jake Williams (@MalwareJake) July 9, 2019
Controversial design: a local server
The reason Zoom installed a local web server was to circumvent a protection built into Safari 12 called the Cross-Origin Resource Sharing Policy, or CORS. This prevents a web page from launching a local application without an explicit permission window.
Zoom did this to streamline the video conferencing flow so users don’t have to click another window to launch Zoom. But the workaround is considered questionable even though software vendors other than Zoom have implemented it.
It also meant that users who thought they had uninstalled Zoom could still be forced into a video call if Leitschuh’s code was planted on a web page. The Zoom app would launch, so the user would likely know they’re on a conference call, but the behavior would be unexpected.
After Leitschuh published his blog post, Zoom doubled down on the local web server design decision. But it came under heavy criticism, and Zoom reversed the decision on Tuesday. It released an update for Zoom for Mac on Tuesday – version 4.4.53932.0709 – which removes the local web server.
Farley says “the consensus seems to be that we’d rather have our users make an extra click to join a meeting rather than that extra piece of code listening on a port on a Mac.”
Leitschuh also reported a denial of service vulnerability, which Zoom patched in May.
Zoom: we are going to change
In addition to removing the local web server, Zoom says it is now planning other changes.
This weekend it will release another patch that will change the default preference for knowing if a person’s video camera is on. Zoom tends to default to video even if someone has turned it off at a previous time.
The patch will keep a video camera off for future meetings if someone has selected that preference once, Zoom says. Leitschuh pointed out in his blog that it’s possible to call someone into an ambush and force the recipient’s camera to turn on through Zoom’s call interface settings.
Zoom says this behavior was only possible if the call recipient hadn’t turned off the video. But as noted earlier, Zoom has video enabled by default.
Zoom also plans to add a feature allowing users to manually uninstall the app. “Once the patch is deployed, a new menu option will appear that says ‘Uninstall Zoom’. Clicking this button will completely remove Zoom from the user’s device along with the user’s saved settings,” he wrote. .