Oh Zoom, you necessary evil you. Video conferencing surely has saved us a lot of time and money by bringing geographically separate people together via simple technology. Well, simple to a fault. It’s been a week since Zoom-gate. Yeah, I’m going to coin that phrase since this particular vulnerability didn’t have a fancy website or logo, so we might as well try to give it that. So what exactly happened?
Here is the original disclosure from the researcher, Jonathan Leitschuh. I do not know Jonathan, nor do I work for Zoom, but I do use their product on a regular basis and have for years. It’s the corporate standard at more than a few companies I’ve worked at over the last few years, so I’m pretty familiar with it. This is a post on my take on this whole hot mess of a vulnerability.
The Disclosure
Man alive, did this disclosure drive me mad. Look, I know that in our industry, making a name for yourself is considered important by more than a few people. The desire to disclose is strong! Jonathan did this fairly well for a few reasons:
- He waited 90 days before disclosing publicly.
- He was in contact with Zoom regularly and did what he could.
- He decided against a monetary reward in the hopes of disclosure (and recognition) for his work.
Whether or not that last point is good nor not is up for debate, but I applaud anyone willing to stick with their morals, provided those morals are not, you know, evil.
When I read the original disclosure, I was shocked. Not because clicking a https://zoom.us/############ link would cause you to gasp open Zoom, but because so much of the focus was on this hyperbole of being added to a call without permission! Yes, the lack of prompting sucks, and the fact that your video pops up immediately is pretty bad. However the host does not have the ability to force your video to turn on. Zoom said this and my own IT and I tested this and found it to also be a false claim. The not-so-great part is that Zoom defaults to turning on your video. In a corporate setting, your Zoom admin can change this (we default to video off, for example) and you can always change your own defaults if you’re not centrally administered.
But seriously, that’s not what bothered me. Nope. What bothered me was how little attention was paid to the HTTP SERVER INSTALLED BY ZOOM THAT DIDN’T GET UNINSTALLED EVEN WHEN YOU UNINSTALLED ZOOM!!! That’s the bit that should have been the focus of the disclosure. But I get it, telling people there’s some unwanted software installed on your machine that could lead to total ownership of your machine isn’t sexy. It doesn’t really scare people. If it did, we wouldn’t have issues with people falling prey to phishing campaigns or opening up documents on newly found USB drives. However, telling someone that a stranger can view them over their webcam without permission, well that’s just down right terrifying! Never mind the fact that the Zoom client also pops up when this happens, and you can clearly see that you’re in a meeting, it’s still a terrifying thought. Sure there was talk of a Denial of Service (DoS) vulnerability in there as well, but I think it was also given a bit too much attention than it deserved. Still bad mind you, but not exactly scorched earth territory either.
Is being caught unaware that you’re joining a meeting scary? Yes. Is it meterpreter-has-a-more-covert-way-of-doing-this-exact-thing-for-years level scary? No, but it sure makes for sensational headlines!
The Response
I’ll be honest, when I first read the disclosure, Jonathan made Zoom out to be rather incompetent and arrogant. I was willing to give them the benefit of the doubt, because I’m Canadian and we’re good like that. However, the fallout from this disclosure and the way that Zoom reacted was not exactly great, and I started to side with Jonathan a lot more.
A feature that was asked by your customers is one thing, but purposely bypassing another organizations security measures just to make things easier for your customer is not cool. Apple put in controls for a reason, and Zoom basically created a separate HTTP server to bypass those controls for their users on Macs running Safari was just plain stupid. And then trying to defend this stance as a “feature” is just crazy! C’mon Zoom, you can do better. If someone wants to uninstall your software, then they don’t want it anymore. You don’t get to leave a backdoor sitting on their machine to reinstall quickly and without prompting the user because it makes it easier for them! Again, that’s just dumb.
Having said all of that, the way Zoom handled the situation after all hell broke loose was actually rather admirable. They owned up to the problem, admitted they were wrong (took a bit of pressure to do so, but still), and provided a patch the next day! That’s impressive, I don’t care who you are. Not only that, but they partnered with Apple to work on a fix to remove the HTTP server via an OSX silent update.
My Thoughts
Zoom, I am disappoint. I expected better from you. Apple is the pinnacle of the design and usability world and even they put security and privacy as equal pillars. Why did you think it was okay to provide a RCE as part of your product?! This is disappointing. But you did well by fixing it so promptly. I just wish you didn’t let it get this far. Now I get to field questions from my staff, customers, partners, etc. who are wondering if your product is safe to use. This will die down of course, but it could have all been avoided if you took this seriously and did a simple threat model on what you built! What I hope is that other organizations learn from your mistake. Yes there are researchers who are in it for the glory, but this was legitimately bad!
As for security researchers, I understand the need to sensationalize to get attention, but it also cheapens our profession. Chicken Little, The Boy Who Cried Wolf, Y2K (sorry, I couldn’t resist), etc. There are plenty of examples of this type of hyperbole backfiring. This was a big problem, but the focus was on the wrong threat. I appreciate Apple fixing this as well, since I was honestly worried about how those users who uninstalled Zoom but still had this rogue HTTP server sitting on their machines would be affected. I don’t know many people who would re-install a program just to get the patch to make sure it uninstalled correctly. How many would remember if they ever installed an affected version of Zoom in the past? Thankfully Apple’s patch fixes that, and nobody had to lift a finger.
Apple seems to be in a strange spot here and are being called out by some people in the InfoSec Twitter community as villains for silently removing an unwanted HTTP server. Seriously? Some people just hate Apple. Make no mistake about it, I don’t like Apple much myself, but their products do just work, so they’ve got that going for them. Plus what’s the alternative for those less-than-technical people who purchased a Mac simply because they do not want to deal with nitty-gritty details like editing registry keys, changing config files, and the like? Those are the real victims here, since those are the people who likely dragged that Zoom icon to the trashcan expecting it to uninstall cleanly and remained blissfully unaware of the threat to their system. What would you have them do? Prompt you to uninstall an unwanted server that likely broke some form of agreement between Apple and Zoom? And what if someone said no, but then had their machine hacked later because of it. All of a sudden Apple doesn’t look so impenetrable, does it? Naturally Macs aren’t bulletproof (nothing is), but it is evident that they have a lot less threats facing them compared to the alternatives. Sure we can argue about market share and the like, but the reality is that Apple runs a tight ship and that also means you don’t get that much freedom compared to Windows or Linux. That’s a conscious choice for most people, and if they’re fine with it then who are we to say otherwise? Plus are you really arguing that removing a potential backdoor is really a bad thing? They’ve had this functionality on their iPhones for YEARS, so get over it. I wonder how people would react if anti-virus vendors would have updated their signatures and auto-quarantined this server instead? Would that have made people happy?
Let’s be honest for a second. We live in a world where vulnerabilities are weaponized quickly, often days after disclosure. I know a lot of firms that use Zoom, and there seems to be a trend to move towards Mac Book Pros as well, especially in tech. With that comes a level of confidence (and even arrogance) over the lack of concern around security since “Apple takes care of it”. This should be a great example of why this is actually more true than not. Is Apple perfect? Absolutely not, they have a regular patch cadence just like everyone else. But this one was big just because of how prolific it was and all the attention it got. And yes, there really was an RCE in there.
Maybe I’m bitter. Maybe I’m tired of people arguing for the sake of arguing. Maybe this is just a new outlet to let off some steam. Maybe vulnerabilities will stop getting mascots or massive press coverage for all the wrong reasons. Whatever. I’m still going to use Zoom for my meetings because it bloody well works, and they fixed the problem. Will I add some additional steps when evaluating software and performing my own internal pen tests? Absolutely. Overall I think there are lessons for everyone here. From handling vulnerability reports and acting on them, to understanding how to properly address issues publicly, there a lot to learn from all this. Will we though? Only time will tell.
– John