How many layers of security do you have between your employees and hackers? Learn how multi-factor authentication provides an extra wall against attackers.
Jonathan Leitschuh, a software engineer and security researcher at Gradle Inc., made a public revelation this past July about a critical vulnerability in the Zoom application. Zoom is a popular web video conferencing app based in the cloud, with over 4 million users across almost a million organizations. The bug Leitschuh found resided in the MacOS version of the app, and would had allowed an external website to access and control a user’s webcam through Zoom.
Zoom Webpage Access and DOS Possibility
According to Leitschuh, the vulnerability originates from Zoom’s open meeting joining functionality, which generates a link that anyone can click on to attend the video conference. Leitschuh’s research shows that in order to do this, the app connects your device to a web server (with some questionable protocols according to the researcher). A hacker leveraging this remote process can force your computer to join the meeting without you ever knowing, as well as cause denial-of-service (DOS) by repeatedly forcing you to join a non-existent meeting.
App Can Potentially Force RCE, Meetings, and Reinstallation
Leitschuh uncovered many deeply concerning aspects of Zoom’s web functions, chief among them its ability to essentially force your machine into accepting its protocols. Though he was unable to completely confirm it, the security researcher theorized that an enterprising hacker could figure out a way to leverage this flaw for a remote code execution (RCE), but at the very least Leitschuh was able to prove that it can force webcam activation if it was installed. He also found that the web server could remain installation on your computer, even if Zoom was uninstalled, and could simply reinstall the app if commanded to.
Zoom ‘Quick Fix’
Leitschuh and Gradle reached out to Zoom several times about the vulnerability, and were finally able to get their attention after some time and recommend a few fixes. However, Zoom tried to get Gradle to remain quiet on the vulnerability, which they refused to do, and after the customary 90 grace period Leitschuh revealed the flaw in early July. It is interesting to note that Leitschuh found that the only suggestion Zoom followed up on initially was a temporary quick fix that he recommended as a stop gap, and only took more dedicate measures once he released that knowledge soon after the first disclosure
Apple Patch for Zoom on Mac
Apple, on the other hand, did not waste much time in releasing a security patch for Mac computers only a few days after Leitschuh disclosed the vulnerability in Zoom’s update. Apple’s fix ensures that users receives a prompt asking if they want to join a meeting, rather than forcing them as before.
Zoom Security Vulnerabilities
This is not the first time Zoom has experienced a flaw like this – a similar vulnerability was found in August 2018 that affected Windows and Linux machines along with MacOS. There has been no word on whether this recent bug is present in other operating systems, but Leitschuh did point out that all of the white-labeled services which copy Zoom’s code can also be affected.
Carefully Monitor Remote Access
While bugs always appear in software, the Zoom debacle illustrates how serious these vulnerabilities become in a remote cloud environment. With how many employees are joining the distributed workforce, it is important that for your business to stay protected, you must learn how to secure all remote connections and prevent hackers from silently infiltrating your network.
Download our white paper here to find out how to fortify your organization’s remote access connections.
