Zoom to patch flaw that enabled access to Mac webcams

Posted:
in General Discussion edited July 9
Following the disclosure -- and wide media coverage -- of a zero-day flaw in video conferencing service Zoom's Mac client that enables easy access to a user's camera feed, the company on Tuesday reversed course and said it plans to issue a fix for the vulnerability.

Zoom


Announced in a post to Zoom's official blog, the emergency security patch will remove a local web server the company is using to bypass a Safari 12 protection mechanism, as well as allow users to completely uninstall the app.

The move is a course reversal for Zoom, which as recently as Tuesday said both actions would be difficult to implement. Zoom previously defended its use of a local host server to bypass built-in Safari security protocols in favor of a streamlined user experience.

Apple's latest Safari 12 requires users to by interact with a dialogue box when a website or link attempts to launch an outside app. Zoom, which prides itself on a streamlined UX and one-click-to-join video meetings, developed a workaround in the creation of a local host server that constantly runs as a background process.

As detailed by security researcher Jonathan Leitschuh, nefarious websites can take advantage of the local web server to trigger a video call with a simple launch action or an iframe exploit, automatically activating a Mac's webcam and connecting to a meeting without user consent. All Zoom Mac clients are vulnerable through Safari, Chrome and Firefox unless a "Turn off my video when joining a meeting" option is ticked in the software's settings menu.

In addition to granting potentially unwanted webcam access, the local server remains on a host machine even when Zoom is uninstalled and can re-install the client app without user interaction.

Zoom initially said it would not remove the server feature, but it appears the company had a change of heart after its CEO, Eric Yuan, discussed security concerns in a "Party Chat" with Leitschuh and various members of the Zoom community on Monday. That meeting, conducted through Zoom, was open to all comers and could be accessed through a proof of concept link provided in the security researcher's original report.

Along with removing the local host server, Zoom's Tuesday patch will also include a menu bar option to completely uninstall the Mac client. Earlier on Tuesday, the company said it did not have an "easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client," saying the process had to be completed manually through Terminal.

The patch is expected to arrive later tonight.

Comments

  • Reply 1 of 11
    Riiiight. A company that knows how to install a local web server on a custom port and have it launch every time the system boots up, is somehow incapable of writing a shell script to automate the removal of that tool and hook into the OS frameworks that allow a temporary escalation to higher privileges for that script. Not like I ever used Zoom, but this convinces me to advocate against them and suggest a clean OS reinstall to anyone who's ever used the product.
    agilealtitudedysamoriafastasleepcoolfactorplanetary paulracerhomie3
  • Reply 2 of 11
    dysamoriadysamoria Posts: 2,266member
    “Difficult”, read as “we don’t wanna”.

    Maybe their lawyers let them know they really ought to.
    coolfactorracerhomie3
  • Reply 3 of 11
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 

    this is beyond stupid. 
    planetary paulmac_dog
  • Reply 4 of 11
    fastasleepfastasleep Posts: 3,086member
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 
    There is, and it does:
    https://support.apple.com/guide/mac-help/control-access-to-your-camera-on-mac-mchlf6d108da/mac

    You would've had to have already given permission for Zoom to use your camera/microphone. You would also know it's active because the green light next to your cam would turn on.
    manfred zorncoolfactorplanetary paulRayz2016
  • Reply 5 of 11
    coolfactorcoolfactor Posts: 1,504member
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 

    this is beyond stupid. 
    Yes, the permission is permanent, so once you've granted it once, it's granted permanently. This is why the localhost (one word, AppleInsider!) web server is such a problem. Because it's a process that has received your permission permanently.

    AppleInsider, please confirm if this localhost web server listed in the Security & Privacy panel...




  • Reply 6 of 11
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 
    There is, and it does:
    https://support.apple.com/guide/mac-help/control-access-to-your-camera-on-mac-mchlf6d108da/mac

    You would've had to have already given permission for Zoom to use your camera/microphone. You would also know it's active because the green light next to your cam would turn on.
    Very familiar. My point was that it shouldn’t be possible for some installed software to bypass this. As in there should be an OS level failsafe that cannot be bypassed. A camera (and microphone for that matter) is a serious privacy matter. 

    Sounds like Zoom operates more like a phishing scam. Sheesh. 
  • Reply 7 of 11
    racerhomie3racerhomie3 Posts: 1,149member
    I hope a class action lawsuit is filed against them. If they don’t go to the iOS codebase this fall on Mac  they will never get me as a customer.
    edited July 10
  • Reply 8 of 11
    Rayz2016Rayz2016 Posts: 4,726member
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 
    There is, and it does:
    https://support.apple.com/guide/mac-help/control-access-to-your-camera-on-mac-mchlf6d108da/mac

    You would've had to have already given permission for Zoom to use your camera/microphone. You would also know it's active because the green light next to your cam would turn on.
    Always tricky to balance the needs of developers (who buy into MacOs because of its Unix-like underpinnings) and protecting the users. 
  • Reply 9 of 11
    fastasleepfastasleep Posts: 3,086member
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 
    There is, and it does:
    https://support.apple.com/guide/mac-help/control-access-to-your-camera-on-mac-mchlf6d108da/mac

    You would've had to have already given permission for Zoom to use your camera/microphone. You would also know it's active because the green light next to your cam would turn on.
    Very familiar. My point was that it shouldn’t be possible for some installed software to bypass this. As in there should be an OS level failsafe that cannot be bypassed. A camera (and microphone for that matter) is a serious privacy matter. 

    Sounds like Zoom operates more like a phishing scam. Sheesh. 
    I just meant the controls you described are present, to the extent that they foresaw normal software behavior. This obviously was a clever workaround to get past that, and I think we can expect Apple to lock things down further so this isn't possible, for better or worse in the long run.

    You should also buy and install MicroSnitch if you're concerned about things like this:
     https://obdev.at/products/microsnitch/index.html


  • Reply 10 of 11
    fastasleepfastasleep Posts: 3,086member

    Rayz2016 said:
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 
    There is, and it does:
    https://support.apple.com/guide/mac-help/control-access-to-your-camera-on-mac-mchlf6d108da/mac

    You would've had to have already given permission for Zoom to use your camera/microphone. You would also know it's active because the green light next to your cam would turn on.
    Always tricky to balance the needs of developers (who buy into MacOs because of its Unix-like underpinnings) and protecting the users. 
    Yes, and it exacerbates fears that they will fully lock down the OS such that those freedoms will no longer be accessible by users in the future. I'm hoping GateKeeper remains a benevolent force that one can work around when needed.
  • Reply 11 of 11
    Gee, Zoom, that sure looks like a cleverly designed FEATURE more than a flaw to me.

    What bothers me about this is that the user isn’t in control of OUR OWN CAMERA. 

    And I don’t even blame Zoom. 

    Sure, I’ll never use their software now as that’s an evil and creepy thing to offer - say an employers wants to force you into a video conference and you don’t even know you’re being seen... evil. 

    This is an APPLE issue. It shouldn’t even be possible for a software maker to do enable this. 

    There should ALWAYS be a OS LEVEL approval for the camera to activate. 

    An installer app can call on it, but the user should approve a prompt AT THE OS LEVEL. 

    this is beyond stupid. 
    Yes, the permission is permanent, so once you've granted it once, it's granted permanently. This is why the localhost (one word, AppleInsider!) web server is such a problem. Because it's a process that has received your permission permanently.

    AppleInsider, please confirm if this localhost web server listed in the Security & Privacy panel...




    It is, so I guess it can be denied access from that panel.


Sign In or Register to comment.