Zoom’s security vulnerability – Don’t let your webcam get hijacked

Have you ever noticed someone with a camera cover or a piece of tape covering the webcam on their laptops? Maybe you thought they were paranoid.  Can people really gain access to your webcam without your knowledge? Well, perhaps after reading this article you will be more inclined to go out and purchase a small plastic cover for your webcam.

On Monday, July 8th, Zoom, a video conferencing service, was discovered to have a vulnerability that allowed malicious actors to forcefully make you join a Zoom call as well as activate your webcam without your permission. The security flaw was first reported to Zoom by software engineer Jonathan Leitschuh. It could potentially affect up to 750,000 companies and their users.

Why is the Zoom security vulnerability a big deal?

If you’re a Zoom customer, their security vulnerability causes three big problems. First, malicious actors can take advantage of the vulnerability by forcing you to join unsolicited Zoom calls and activating your webcams. This then could also be exploited to carry on an attack similar to a DoS (Denial of Service) by essentially continuously forcing your computer to join erroneous Zoom calls, overwhelming your computer and potentially rendering it unusable. A “feature” in Zoom called Auto-Join also allows the malicious actor to decide if the target should have their webcam on when they join the call, without needing user permission.

Another troublesome aspect of this vulnerability is that you are still exposed even if you uninstall the Zoom client. This is because Zoom actually installs a local web server that will run on your computer and remain in the background. It is important to point out that this local web server is installed without user knowledge or permission. The local web server allows Zoom to forcefully re-install itself when you do something as simple as visiting a website that contains an iframe embedded behind malicious advertisements. You can check if the server is running on your computer by using the simple command: lsof -i :19421 in your terminal.

Make sure the products you use protect you from security flaws

This seems to be another case where software companies do not build their product with the security of the end user in mind, placing more value on features that offer convenience and ease of use. Zoom was notified of the existing vulnerability for the first time back in March but was slow to discuss or provide a solution. They eventually rolled out a patch for the Auto-Join webcam vulnerability but that was rolled back leaving the vulnerability working again.

It is increasingly important for both consumers and the security community to keep software companies accountable. Companies should be transparent about what is actually being installed on your computer and what they will have access to within your system. Software companies should also acknowledge and take steps to remedy reported vulnerabilities as soon as possible when they are reported by security researchers.

One of the perks of being a Rubica Private Client is access to software vetting by Rubica’s security experts. They could tell you, for example, that Zoom has security vulnerabilities, and provide recommendations for a more secure conferencing tool you can use.