Zoom web server problem allowing hackers webcam access fixed for Macs

Zoom has become a useful way to hold video meetings and conferences among people who are not in the same organization or even using the same hardware and software. Recently a problem was made public that hackers could access Zoom users’ webcams. Zoom has said they’ll fix the problem. https://gizmodo.com/zoom-backtracks-says-it-will-actually-fix-major-flaw-t-1836230262 In the meantime, Apple has already fixed the problem for Mac users by a stealth update.

https://appleinsider.com/articles/19/07/10/apple-removes-zoom-web-server-in-stealth-mac-update

Apple removes Zoom web server in stealth Mac update

Apple on Wednesday pushed out an automatic update for Mac users that removes a local host server created by video conferencing app Zoom, protecting users against the threat of unwanted webcam access.

Zoom

According to Apple, the silent update shields all Zoom users from a recently discovered web server vulnerability without impacting the operation of the app itself, reports TechCrunch.

Previous versions of Zoom installed a local host web server to bypass security protocols deployed as part of Safari 12.

In a bid to protect users from malicious actors, Apple’s web browser requires interaction with a dialogue box when a website or link attempts to launch an outside app. Seeking a streamlined one-click-to-open user experience, Zoom sought to bypass the Safari feature and quietly built a local web server into its Mac client package.

A flaw in Zoom’s implementation left the app, and subsequently all Mac owners who installed the software, open to attack.

Security researcher Jonathan Leitschuh this week detailed the vulnerability in a zero-day disclosure. Leitschuh found that embedding a simple launch action or an iframe into a website automatically dropped a user into a Zoom meeting with their Mac’s webcam enabled. Because the flaw lies in a web server and is not siloed to the app, the attack is effective not only in Safari, but Chrome and Firefox as well.

Further, the web server would remain on a host Mac even after Zoom was uninstalled and was capable of re-installing the the client app without user interaction.

Following Leitschuh’s report, and intense scrutiny from media outlets, Zoom decided to patch the flaw in an emergency update on Tuesday. As part of the update, Zoom promised to remove the local host server and make available an option to completely uninstall all remnants of the app without going through Terminal.

Apple opted to remove the server through its own tools on Wednesday. Zoom was apparently notified of the Mac update, according to the report.

“We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today,” Zoom spokeswoman Priscilla McCarthy told TechCrunch. “We appreciate our users’ patience as we continue to work through addressing their concerns.”

Apple typically reserves silent, automated Mac operating system updates to resolve severe malware issues or otherwise enhance user security. The mechanism is rarely deployed to target a specific third-party app, but the company informed TechCrunch that this particular fix was initiated to protect users from Zoom’s exposed web server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s