The fallout from Zoom’s massive webcam vulnerability continues. In a report published today, security researcher Karan Lyons shows that the same flaw — which gave attackers easy access to laptop cameras and microphones — affects RingCentral, which is used by over 350,000 businesses, as well as Zhumu, essentially the Chinese version of Zoom.
Both RingCentral and Zhumu license Zoom’s technology. Lyons explained, “If a lettuce producer has an E. coli outbreak, everyone who resells that lettuce under myriad brands in stores, or uses that lettuce in their sandwiches now also has vulnerable customers.”
“White labeling is a fairly common practice in this industry and others, and while it has its pros, one of the cons is that if a white label provider has an issue, everyone repackaging their product now does as well,” Lyons added.
RingCentral released an update for users of the company’s MacOS app. The company is urging all customers to accept the update (v7.0.151508.0712) patching the flaw. While the update removes a hidden web server containing the vulnerability from customers’ laptops, Lyons told BuzzFeed News that for people who have uninstalled the RingCentral app, there is no way to easily remove the hidden server. Lyons detailed a technical fix on Github. Zhumu has not yet issued a patch for the security flaw (the last update available for the software was released on June 17).
Jyotsana Grover, a RingCentral spokesperson, said, “We recently learned of video-on vulnerabilities in RingCentral Meetings software and we have taken immediate steps to mitigate these vulnerabilities for any customers who could be affected.” Grover added that the company is not aware of any customers impacted by the flaw.
On July 10, Apple released a silent automatic update for Macs, removing the hidden Zoom web server and protecting users from the vulnerability. The update does not remove the web server installed by RingCentral or Zhumu’s desktop apps. Apple and Zhumu did not immediately respond to BuzzFeed News’ request for comment.
The flaw could be exploited through a Zoom feature called “Auto-Join.” Zoom users can click a unique link to auto-join a meeting. The link will prompt the Zoom app to open, and enter the user into the meeting. Security researcher Jonathan Leitschuh discovered that a short line of code — an iframe — embedded into any website can also force Zoom users into a meeting, without any action from the user. Once the iframe embed is finished loading, the Zoom desktop app will automatically open and the victim will be entered into a meeting with (depending on their settings) their microphone and video camera turned on — all without any action from them.
That’s because of a second application, called a localhost web server, that is designed to run constantly in the background, and is automatically installed alongside Zoom’s desktop app. The server “listens” for the iframe embed or clicks on the auto-join link to prompt the Zoom desktop app to open. The server was designed as a “workaround” to a security change in Safari 12, requiring users to accept launching Zoom before every meeting, a Zoom spokesperson said.
On July 9, Zoom released a patch that removes the local web server from Macs, once the Zoom desktop app has been updated, and allows users to manually uninstall Zoom that also removes the web server. Previously, deleting the Zoom desktop app did not uninstall the web server.