Zoom Responds to Heat on Video-on Vulnerability
Following plenty of social shaming and public disapproval from security experts and industry watchers, Zoom Video Communications yesterday afternoon announced that it has released one patch for a previously-unfixed vulnerability in its cloud video conferencing service, and noted plans to release a second as part of a planned July update due this weekend.
Communications and collaboration analysts I’ve spoken with have been less concerned about the vulnerability… although they said Zoom could have reacted differently between the flaw’s discovery four months ago and yesterday’s patch announcement.
To recap, word of the vulnerability surfaced publicly on Monday, July 8, when a security researcher published an InfoSec Write-up titled, “Zoom Zero Day.” The researcher explained he discovered a Zoom Mac client vulnerability that “allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”
What’s more, the researcher wrote, this vulnerability could have precipitated denial-of-service (DoS) attacks against a Mac “by repeatedly joining a user to an invalid call.
“Additionally,” he continued, “if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”
The researcher then went on to share a timeline of his interactions with Zoom about the vulnerability he discovered, beginning on March 8 with a Twitter outreach and ending on July 8 with his public disclosure.
While the researcher wrote about this as a Zoom Mac client issue, the “video-on vulnerability,” as Zoom calls it, is a issue for PC clients, too. But Zoom downplayed the risk in a public statement issued on July 8. Characterizing the discovery as an “alleged risk,” Zoom wrote:
“If an attacker is able to trick a target Zoom user into clicking a web link to the attacker’s Zoom meeting ID URL, either in an email message or on an internet web server, the target user could unknowingly join the attacker’s Zoom meeting. If the user has not explicitly configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video camera. Because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting.”
In the statement, Zoom also provided its stance on the two Mac-specific issues.
Regarding the local DoS vulnerability, Zoom acknowledged that were an attacker ever successfully able to initiate an “endless loop of meeting join requests” then the attempt to lock up a user’s Mac would indeed work. However, Zoom said that it’s never seen the vulnerability exploited, and noted that a fix issued in May addresses this vulnerability.
As to the auto-join via Zoom local web server, Zoom attributed this vulnerability to a workaround it implemented following Apple’s decision in Safari 12 to require users to click to accept an app’s launch -- in Zoom’s case, at the start of each video meeting. Installing a local web server that automatically accepts the access circumvented the need for that extra click, Zoom wrote. “We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
Indeed, Zoom has built a brand around the frictionless meeting experience. So while security is of paramount importance, any vulnerability gets weighed against factors such as ease of use, Oded Gal, head of products at Zoom, told me. He characterized the tradeoff as a conceptual issue, saying about video-on, “Is starting video by default a security risk or not? That’s the question, right?”
Zoom believed it effectively addressed this question by giving first-time users the ability to turn off the auto video-on setting, as well as allowing enterprise customers to set that as a default so that video must be clicked on for every meeting, Gal said: “We present the options and let them choose based on their security policies.”
But Zoom has seen this week that public perception isn’t to be dismissed, Gal said. And so the company worked to hasten resolution of the noted vulnerabilities, hence the July 9 patch. With this patch, Zoom has removed the local web server. For this to take effect, Mac users will need to update their clients, as prompted via the Zoom user interface, the company wrote in update to its response blog on the vulnerability. In addition, this patch allows users to uninstall the Zoom client manually. The “Uninstall Zoom” option will appear in the Zoom menu bar. Of course, this means Mac users will now have that extra click Zoom had previously worked around, said Gal, noting that Zoom is in discussions with Apple on ways to improve this process.
A patch for the video-on vulnerability will follow this weekend, on July 12, Zoom wrote. Once this update takes effect, first-time users can select and save “Always turn off my video” as the default for all future meetings. Returning users who would like to turn video off by default will be able to do so through the Zoom client settings.
While the security community has taken Zoom to task over its decisions regarding the tradeoff between ease of use and the video-on vulnerability, video collaboration analysts haven’t seen the need to raise the red flag over it. Ira Weinstein, managing partner with Recon Research, pointed to the click-to-join reality of today’s collaboration solutions. This is a deliberate functional choice not only for Zoom but many others, for convenience and speed, he said. “I don’t know that I’d call [the Zoom vulnerability] much of a risk more than any other Internet-based risk of clicking on any link.”
A far greater security risk would be a nefarious download or virus resulting from clicking on a Zoom meeting link, he added. “Really, I don’t think there’s a major story here -- other than that everybody should watch what they’re doing and be as conscientious as possible.”
Irwin Lazar, vice president and service director at Nemertes Research, shared a similar view. “Zoom has historically focused on promoting fast join times and a video-first experience as key differentiators. This vulnerability uses those features against them, but at this point I think the threat is a bit overblown,” he wrote to me via email. “A user is only impacted if they click on a URL that launches a meeting, and at that point they would see the Zoom client launch, and the meeting start. On a Mac, they would also see the green light illuminate next to their camera.”
Disabling auto-start of video should assuage any concerns, Lazar said.
However, “a bit more concerning” than the vulnerability itself is Zoom’s response to it, he added. “I would have rather seen them proactively address the issue rather than wait for the researcher to publish the vulnerability.”