Zoom and RingCentral Exploits Allow Remote Webcam Access


Recently, software engineer Jonathan Leitschuh uncovered a major security flaw in the Mac client for Zoom, a video conferencing system popular with businesses, and RingCentral, which is a rebadged version of Zoom. Zoom makes it so that when you click a Zoom link and have the client installed, the link automatically opens the Zoom client. It turns out that this implementation isn’t secure, because an attacker can create a link that will automatically join you to a call and turn your video camera on. (Note that it cannot disable the green LED indicator of the FaceTime cameras in the Mac, so if you use that camera exclusively, you always know when it’s on.)

Even worse, you couldn’t close this vulnerability by just deleting the Zoom app, because Zoom installed a hidden Web server on your Mac that would reinstall the Zoom client for you if you click a Zoom link.

Initially, Zoom defended its use of the hidden Web server, but quickly repented, and the company has released an update, version 4.4.4 (53932.0709), that removes the hidden Web server and offers an option to completely uninstall Zoom. The company has promised additional updates to improve user privacy.

To make sure that users who neglect to update the Zoom app are not exposed, Apple has released a silent macOS update that removes the hidden Web server. The update installs automatically without any interaction on your part. To see if it’s installed, open System Information in /Applications/Utilities, and click Installations, which is under Software in the sidebar. Click the Install Date column header so that you see the latest installations first, and look for MRTConfigData, which should be at version 1.45 or above. (Hat tip to Howard Oakley for that tidbit.)

The MRTConfigData update in System Information

Unfortunately, the hidden Web server was only part of the vulnerability. Even after the server is uninstalled, it’s possible for a Mac to inadvertently join a Zoom conference with the Web cam enabled.

How to Tell If You’re Affected

To try the vulnerability for yourself, the easiest way is to click one of the links below, which Leitschuh set up as proofs of concept. The second link will activate your Web cam automatically. Be warned that clicking either link will drop you into a video conference, likely with other people as freaked out as you are.

https://jlleitschuh.org/zoom_vulnerability_poc/

https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html

Fixing the Zoom Vulnerability

The Apple update takes care of the hidden Web server, but you can still be tricked into clicking a Zoom link that activates your Web cam.

First, check if you have the latest version of the client by opening Zoom and choosing zoom.us > Check for Updates. If the app prompts you, click Update Now to update it.

Note that version 4.4.4 (53932.0709) adds a Zoom icon to your menu bar. You can disable that by opening Zoom, going to zoom.us > Preferences > General and unchecking “Add Zoom to macOS menu bar.”

To prevent Zoom from activating your Web cam without your explicit consent, open Zoom and choose zoom.us > Preferences (Command-,), click Video in the Settings window’s sidebar, and check the “Turn off my video when joining a meeting” option.

The setting to turn off video when you join a meeting.

If you use Chrome or Firefox as your browser, you’ll also want to check and change some settings to prevent Zoom links from opening automatically, per Karan Lyson on GitHub, because it’s possible that you gave Zoom permission to open Zoom conferences automatically when you click a Zoom link. (This doesn’t affect Safari.)

But if you don’t want to fool with these settings, it’s easier to uninstall Zoom entirely, and we wouldn’t blame you. Open Zoom, choose zoom.us > Uninstall Zoom.

To fix this in Chrome:

  1. Quit Chrome by choosing Chrome > Quit Google Chrome.
  2. Open your user library folder in the Finder by holding Option, choosing Go in the menu bar, and choosing Library.
  3. Open the Application Support folder and navigate to /Google/Chrome/Default.
  4. Double-click the Preferences file, which opens in TextEdit by default.
  5. Press Command-F to open find, and search for "zoommtg":false and "zoomrc":false(just search for “zoommtg” and “zoomrc” to reveal them).
  6. If these strings exist, delete them and the comma immediately after.
  7. Choose File > Save, close TextEdit, and re-open Chrome.

Fortunately, this is easier in Firefox:

  1. Choose Firefox > Preferences.
  2. Click in the Find in Preferences field.
  3. Search for zoommtg and zoomrc.
  4. If these preferences are found, change them to “Always ask.”

As for the Web server that Zoom snuck onto Macs, between Apple’s update and the Zoom update, it should be eliminated. I’ve tested and confirmed this on my machine by deleting the hidden ~/.zoom file I made in Terminal and reinstalling Zoom, which didn’t recreate the directory that older versions kept the Web server in (see my description of the old Terminal method below if you don’t know what I’m talking about). Don’t take my word for it, you can check yourself by opening Terminal, entering this command, and pressing Return:

lsof -i :19421

That command searches for services listening on port 19421, which is the port that both Zoom and RingCentral used. After the update, it should dump you back to the command line with no result. Under older versions of Zoom, you’d see an entry called ZoomOpene like in the screenshot below.

Output of lsof -i :19421

You can also enter ls ~/.zoom, which should return with “No such file or directory” after updating to version 4.4.4 (53932.0709).

The Old Terminal Method

Before the Apple update and Zoom’s 4.4.4 (53932.0709) update, you had to use Terminal wizardry to disable the hidden Web server. You no longer need to do any of this to fix Zoom, but I’m leaving it here both for historical reference and because this is a handy technique to be aware of in case another app pulls a stunt like this.

First, open Terminal and enter kill -9 PID, with PID (process identification number) being the PID that you saw when you ran lsof -i :19421. In my case, that PID was 24272, so I ran kill -9 24272. After you kill the process, you can run lsof -i :19421 again to confirm it worked; if successful, Terminal will return with its normal command prompt.

Then, create a new file in the Web server’s place, and set its permissions so Zoom can’t overwrite the file:

rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;

If you’ve used RingCentral, you’ll have to use a different set of commands to disable the Web server. As I described above, use kill -9 PID to kill any process on port 19421 (which you can find with lsof -i :19421) and then run this command:

rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener &&chmod 000 ~/.ringcentralopener;

Note that you’ll have to follow these steps for every user account on your Mac.

Interestingly, removing the Web server doesn’t disable Zoom or RingCentral functionality at all.

Questionable Judgement

Thankfully, Zoom has (sort of) addressed its issues, but only after intense pressure.

TidBITS Security Editor Rich Mogull had this to say about the vulnerability: “Zoom’s efforts to circumvent Safari’s native security are completely irresponsible. The Web server ‘feature’ merely adds a small amount of convenience at a massive security cost. This is a flagrant and deliberate security and privacy violation that raises serious concerns over Zoom’s internal security prioritization and threat modeling.” We agree. And as Steve Troughton-Smith points out, bad actors like Zoom justify Apple’s continued efforts to lock down macOS.

If you have to use Zoom, you can rest assured for now that the known issues have been addressed. But what’s less assuring is that there may be other security and privacy issues lurking beneath the surface, waiting to be discovered. And with Zoom already showing incredibly poor judgment, we advise uninstalling the client unless you absolutely need it.





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *