The Zoom video conferencing app contains two big security issues for Mac users. First, uninstalling the app the regular way doesn’t actually remove it from your system; instead, by installing Zoom, you’ve actually installed a persistent web server on your system that can be used to reinstall the app without your permission.
Why is that a problem? Because an attacker can then send you an invite link to a meeting – embedded in a website, or even an email – which launches Zoom (even if you “removed” it). This joins you into a conference call and, by default, your webcam is on, which could create some awkward moments depending on what you’re up to.
UPDATE: Proof-of-concept by @funjon appears to show that Apple Mail users who have Zoom installed can have their webcam force-joined to a non-consensual sharing session, just by viewing an email from an attacker. Not secondarily confirmed yet. https://t.co/j54hpkwLyH
— SwiftOnSecurity (@SwiftOnSecurity) July 9, 2019
There are two primary fixes for this problem, which security researcher Jonathan Leitschuh outlined in his recent public disclosure of Zoom’s vulnerabilities. At minimum, you’ll want to go into Zoom’s video settings and enable this setting: “Turn off my video when joining a meeting.”
You can also enable this setting via the Mac Terminal, if you want to get fancy. Run one of two commands:
Turn off your webcam by default for just your local account
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
Turn off your webcam by default for all users on your Mac
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
The bigger solution, if you ask me, is to uninstall Zoom completely, which means removing that persistent web server it has dropped on your system. To do so, you’ll need to open up your Mac’s Terminal and run a two commands:
First, run this to get the web server’s Process ID, or PID: lsof -i :19421
Next, run this command and input the PID where the bracketed text is: kill -9 [process number]
You’ll then want to go find the ~/.zoomus directory on your Mac and delete it entirely.
Finally, to make sure this server doesn’t get reinstalled on your system for any reason, run these two commands in Terminal:
rm -rf ~/.zoomus
touch ~/.zoomus
And, of course, delete the Zoom application as you would any app you want to uninstall.
Going forward: Use browser-based apps for web meetings
Most major web meeting services – Zoom, Lifesize, WebEx, et cetera – allow you to join meetings via your browser. While you’re welcome to install an application on your computer, there’s not much of a reason to ignore the cleaner browser-based approach.
You won’t be installing an app on your system you might not need (or, in Zoom’s case, one that comes with a bunch of security hangups.) In most situations, you’ll still be able to do everything in the meeting that you’d be able to do otherwise
ProTip: Just uninstall all meeting apps from your computer. Use the browser version of the meeting client. They work well now. Apps run stuff in the background and I won’t even get into the stupid stuff they waste CPU time on when you’re never even using them 99.9% of the time.
— SwiftOnSecurity (@SwiftOnSecurity) July 9, 2019
If you absolutely must have something that isn’t a browser-based experience, consider installing web meeting service’s app on your iPhone or Android device. While that means that you’ll have to find a place to prop up your phone or your tablet when you dial in, at least you won’t be installing some problematic software on your primary PC.
Updated July 10, 2019, 7:30am AEST: Zoom is releasing an update later today that removes the annoying web server from Mac versions of its software. If you want to keep Zoom on your system, make sure you’re updated to the latest version of the app. It’s easy to do, as you’ll get a prompt within Zoom itself the next time you load it. As Zoom describes:
“JULY 10 PATCH: The patch planned for today will do the following: 1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device.
2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.”
Leave a Reply
You must be logged in to post a comment.