A security researcher has discovered a vulnerability in the popular Zoom application

Scrolling throw social media one of the people behind Firo Solutions

found a really interesting blog post written by Jonathan Leitschuh and this is our exploit of the day.

Affecting:

Zoom Client

RingCentral

Summary:

A vulnerability has been released in a popular video and sound meeting application called Zoom. The Vulnerability allows a third party to start a video meeting without the permission of the end user. This could lead to someone spying on you without approval. What is required is that a malicious zoom link is opened on the end users computer/smart-phone.

Zoom

Zoom is a very popular multi platform(Linux/Apple Mac/IOS/Android/Windows) proprietary software used for voice and video meetings. The USA company behind zoom is named Zoom Video Communications

Proof of concept:

https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html

<body> <h4>Normally this iFrame would not be visible</h4> <p>I've left the iFrame visible as a demonstration.</p> <p>To truly obscure which site is launching you into the call, an attacker site may even do so lazily after you've been on the site for a while.</p> <iframe src="https://zoom.us/j/492468757"/> </body>

By hosting a similar piece of html on site will allow a user to auto join a zoom meeting [b]without any user interaction[/b].

In firefox the [u]zoommtg://[/u]

CVE’s:

CVE-2019-13450

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

CVE-2019-13449

In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421.

Zoom.us responded to this research with the following

This week, a researcher published an article raising concerns about our video experience. His concern is that if an attacker is able to trick a target Zoom user into clicking a web link to the attacker’s Zoom meeting ID URL, the target user could unknowingly join the attacker’s Zoom meeting. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed. Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened.

Our Security and Engineering teams engaged the researcher and were in frequent contact over the subsequent period. This engagement included disagreement about the severity of the meeting join concern. [b] Ultimately, Zoom decided not to change the application functionality[/b], though as mentioned above, we will be saving the user’s desired camera settings after a Zoom user joins their first meeting from a particular device. Link to answer

External links:

Jonathan Leitschuh’s Medium post

Statement from zoom.us

Alex Willmer twitter statement

Hacker News

Stay up to date with Vulnerability Management and build cool things with our API