Zoom vulnerability for Mac users

Hi folks, you may have seen mentions on twitter of this Zoom vulnerability: https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Here are the problems in brief:

"This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day."

What does this mean for you if you use MacOS? It means you should make sure your Zoom software is up to date with the latest version (but that only fixes the second problem – the webcam problem remains).

This is an issue with the Zoom client itself, so just by using the client you’re vulnerable to having your webcam accessed without your consent. The other issue is that Zoom has had 90+ days to fix this and hasn’t, and that itself is a big red flag.

So what do we do besides cover Mac users cameras? We can explore other options for video conferencing software, but the main issue there is that I haven’t seen other software that has recording capabilities, and that’s pretty huge for us. It’s likely that they’ll fix this issue fairly soon given the attention around it, but that doesn’t help us right now.

What do other people think?

They do note this small patch for the time being:

Disable the ability for Zoom to turn on your webcam when joining a meeting.

This can be done by accessing the preferences of Zoom.

I’ve been following this fairly closely. I’ve long been concerned that no single modern enterprise video communications solution seems to have achieved market dominance or superior user experience. Zoom seemed to be a satisfactory service and I was surprised by how weak the PR response was and how long it took to provide a solution to the vulnerability. Christopher Durr of Sacramento Public Library just suggested that I look at Jitsi Meet meet.jit.si as an alternative. I have not tried it but it claims to be a “fully encrypted, 100% open source video conferencing solution.”

I also find their response to this whole thing pretty shocking.

I use meet.jit.si for Tor Project stuff a lot, but I don’;t think it an handle 30 people on a call given its typical functionality.