Zoom Security Issue: UC Unicorns Aren’t Invincible
Zoom security flaw leads to potential problems for Mac users
Zoom, one of the world leaders in video conferencing and collaboration devices, has accomplished incredible things this year. In April this year, the company became the most valuable technology IPO of 2019, identifying it as a “UC Unicorn” with some serious potential.
However, being a successful UC business doesn’t necessarily mean that you’re invulnerable to problems. Slack, one of the original collaboration companies, proved this fact themselves at the end of June 2019, when their app experienced a worldwide outage for more than an hour.
Now, it seems like Zoom has also been the victim of a severe issue with their video-conferencing software. According to Jonathan Leitschuh, a technology veteran that discovered a bug affecting the cameras on millions of Apple Macs, the latest vulnerability in the Zoom software was “bananas,” and may have left countless people at risk.
The Zoom Video Vulnerability
According to Jonathan’s report, hackers may have been able to access the cameras on Apple Macs thanks to a vulnerability in Zoom’s software for video conferencing. Jonathan Leitschuh said that the problem is related to the way that Zoom establishes video meetings in Mac hardware. This generally involves someone sending a unique link to someone over the web, which they can click to join a meeting.
On the one hand, this simple access to video meetings is an excellent feature for Zoom users who don’t want to deal with complexity before their voice calls. However, the Zoom Mac software also makes joining meetings easier by placing a web server on every machine it gets installed on. This is where the vulnerability lies.
While not all Macs were necessarily vulnerable to the issue, those who failed to change a setting that turned video off when they joined a meeting were at risk. The flaw allowed hackers to place code on websites that connected to the server when victims clicked their meeting links – leading to serious privacy issues.
The same problem isn’t apparent on Windows computers, because they handle Zoom meetings differently – without the server installation.
Fixing the Zoom Server Issue
According to reports about the Zoom functionality issue, simply uninstalling Zoom from your Mac might not have been enough to correct the problem. Uninstalling zoom could allow the web server to remain on your device, which means that the vulnerability is still there.
If you’ve previously installed the Zoom client, and then uninstall the software, you’ll still have the localhost web server on your device that re-installs the client on your behalf when necessary, without any interaction on your behalf. All you need to do to start the installation is visit the right web-page.
The good news? Zoom has been quick to address the issue. After confirming the vulnerability but arguing that it wasn’t as severe as Jonathan Leitschuh suggested, Zoom announced that it had rolled out a patch intended to eliminate any future privacy concerns. According to Zoom, updating your client will now not just fix the issue, but eradicate the local web server.
Patching to get rid of the Zoom server completely should eliminate the vulnerability on Mac devices. However, Leitschuh believes that this action might be too little, too late. According to him, he first contacted the company about the issue in late March, warning that he would go public with the information within 90 days if it wasn’t fixed.
However, Zoom has disputed this statement, saying that the team had responded to Leitschuh only minutes after they were told about the flaw. Zoom also added that it had no indication suggesting that its users had fallen victim to this privacy issue so far.
When UC Today contacted Zoom for advice for any concerned Mac users, a spokesperson said: “Given the updates we made on Tuesday and are making this weekend, I would encourage any concerned customers to keep their Zoom Mac app updated, always a good practice anyway, and to come directly to us at support.zoom.us with any specific questions.”
Security is a Common Issue – Even for Unicorns
Regardless of whether you believe Zoom or Mr. Leitschuh’s version of events, it’s safe to say that the issue proves that even the biggest and most innovative companies can fall victim to security issues. UC Unicorns may be impressive, but just like any other business in the communication environment, they still have security and privacy concerns to address.
Zoom has announced that it is planning to set up a public bug bounty initiative that will pay researchers in the future to find flaws. At present, a similar programme is available, but it is only available to access via invitation from Zoom.
Some final words from Zoom:
“Our goal is a frictionless video experience, but clearly we’ve made some mistakes in that process. But we have heard the security community and our customers loud and clear and we hope that the fixes we’re putting in place now will help rebuild any lost confidence”