back to article Anyone for unintended ChatRoulette? Zoom installs hidden Mac web server to allow auto-join video conferencing

Zoom Video Communications, whose web conferencing service is used by millions, is under fire for installing a hidden web server on Macs in order to bypass user consent when joining a meeting. Researcher Jonathan Leitschuh, a member of the security team at Gradle Inc, investigated how the Zoom client opens automatically when …

  1. John Robson Silver badge

    Tape

    Has always been in place,

    The webserver is nixed - stupid design. The "Do you want to open in a different app" isn't a bad user experience, it's a good warning that you are leaving the browser...

    1. Anonymous Coward Silver badge
      Big Brother

      Re: Tape

      Tape is not needed when you haven't even got a camera.

      1. Korev Silver badge
        Childcatcher

        Re: Tape

        True, but if their server has vulnerabilities then they could easily take control of your machine

      2. JohnFen Silver badge

        Re: Tape

        This. Two of my requirements when I'm buying a computer are: that it doesn't have a built-in camera, and that it doesn't have a built-in microphone. I have occasionally had to purchase machines that had one or the other -- but in that case, a little work with a sidecutter solves the problem.

        1. James O'Brien
          WTF?

          Re: Side cutters?

          Since you took the time to open it up why not just unplug the cables? Then went you let the machine go to some other home you can say it is fully working. Assuming you took the time to plug them back in :)

          1. JohnFen Silver badge

            Re: Side cutters?

            If that's an option, yes, but the last time I did this, there weren't any cables to unplug.

            "went you let the machine go to some other home"

            I don't really do that. The only time I've let working machines go was donating antique computers to a museum. Otherwise, if they're working, then I can find a use for them. If they're not, then I cannibalize them for parts and give the parts I don't want my local electronics recycler.

    2. fobobob

      Re: Tape

      Would be nice if the manufacturers could be convinced to employ some basic precautions such as:

      A shutter that covers the camera and possibly disconnects the microphone with a switch.

      Alternatively, allow the camera (assuming it's installed in a tablet or the top of a laptop screen) to pivot downwards by 90 degrees, effecting the same.

      Power light should be directly linked to camera sensor power, with no chance of being disabled via software.

      1. eldakka Silver badge

        Re: Tape

        A shutter that covers the camera and possibly disconnects the microphone with a switch.
        The weird thing is, this is how laptops used to work.

        In 2004, or maybe 2003, I bought a Dell laptop. On the chassis it had three physical slider switches to enable/disable:

        1) WiFi (yay 802.11a/b/g)

        2) Bluetooth

        3) Mic/Camera

        If you enable the switch, then software can enable/disable that service, but only if the switch was set to 'on' for that function. If set to 'off' then the software setting was irrelevant, it was off.

        I'm not sure why these hardware switches were removed - actually, I lie, I do know, cost, money, profit. But they never should have removed them.

        1. Anonymous Coward
          Anonymous Coward

          Re: Tape

          They weren't always hardware switches in the sense that when set to off it was off - I'm sure my Dell could still have it's bluetooth enabled via software when the slider was "off".

          1. Anonymous Coward
            Anonymous Coward

            Re: Tape

            I'm sure that when I set the bluetooth slider to off it used to laugh at me and say "Yeah, that's definitely off now" then say "not" really quietly 2 seconds later....

    3. Synkronicity

      Re: Tape

      I never got the point of taping over or installing a shutter on your webcam. If my laptop was compromised to that degree I have far greater concerns than hackers watching me masturbate. Besides, the microphones will always be more incriminating and you can't exactly tape over those.

      1. Graham Cobb

        Re: Tape

        1) This article shows that it is extremely likely that there are other bugs lurking which make taking control of the webcam easier than many other compromises.

        2) I spend much of my day on conference calls, many of them external and so using random conferencing apps chosen by other people. I don't want my camera enabled if their chosen app does not have a safe default (as, it appears, Zoom does not).

      2. sabroni Silver badge

        Re: I never got the point....

        It's because it's quick, simple and can't be undone in software. I think the idea that a webcam hack requires your whole device to be seriously compromised is where you're going wrong.

        1. Anonymous Coward
          Anonymous Coward

          Re: I never got the point....

          The point is, getting your laptop rooted is painful, and for some of us, embarrassing. Having the experience recorded raises the stakes to humiliating, and potentially dangerous. You seem to be in one of the parts of the world where being caught whacking is your main concern.

          Not everyone is so lucky, and getting trolled is just the tip of the iceberg. People can face blackmail, stalking, assault, kidnapping, and arrest by less than merciful governments. Real consequences that a piece of an old post-it note can provide real protection from.

          That said I agree that the alert lite should be hardwired to the camera leads, not switched on by software(looking at you Apple, never had to tape a webcam till I worked at an Apple shop, and my ipad dosen't even have a light)

      3. JohnFen Silver badge

        Re: Tape

        "If my laptop was compromised to that degree I have far greater concerns"

        Your laptop doesn't have to be compromised to a great degree for this to happen.

  2. lglethal Silver badge
    Facepalm

    Yes because it's such a massive hassle to click one more time to get to the necessary program.

    One more click across my day, wow I really just cant handle that. Forget the security, saving that one click, wow thats so amazing. Can I give them extra money???

    1. phuzz Silver badge
      Devil

      Two clicks are easy for you, (being presumably someone who's relatively computer savvy), but if you've ever tried setting up a video conference with a non-technical user you'll start to understand why they tried to make the whole process as automatic as possible.

      With some people, if there's any way they can possibly screw something up, they will, and there's been times when I'd commit physical violence to remove the need for a user to have to click on something.

      1. JohnFen Silver badge

        The solution to that is properly training those people, not increasing the attack surface for those of us who aren't incompetent.

        At least I know not to use Zoom, though.

    2. druck Silver badge

      Can I give them extra money???

      You can, but I'd rather they gave some back - class action anyone?

  3. chivo243 Silver badge
    Meh

    Would blocking :19421 at the perimeter be enough? Or would this app shift ports if it couldn't find the mothership?

    1. RichardBarrell

      If I understand correctly what you mean, then no.

      In the scenario described, the malicious traffic on tcp port 19421 isn't going through your site perimeter (by which I assume you mean a router at the edge of your network). It's going over the loopback device on the individual Mac being attacked. You're not going to block this in a router.

      The attack goes roughly like this:

      - I, a person who has once used Zoom, visit an ordinary website like https://www.evilbadguys.com/evil.html

      - that website has a bit of HTML (or a bit of JS that generates HTML) in it like `<img src="http://localhost:19421/evil_bad_url">`

      - now my browser generates a HTTP request to localhost:19421

      - some badly written software running on my Mac is listening on :19421 for incoming connections, and does something unwise in response to that HTTP request, causing me to get spied on

      - so the HTTP request which causes the bad thing to happen is going from my machine to my machine, just over the loopback device, without going through the perimeter at any point

      - the only traffic that went through the perimeter was on tcp ports 80 or 443, because this was triggered by an ordinary website

      Blocking connections to tcp 19421 at your perimeter isn't going to hurt anything but it also isn't going to fix anything. A firewall on the Mac itself which blocks traffic to port on the loopback device could block it. I think the firewall that comes with Mac OS can do that (but I can't offhand remember if loopback traffic skips it. I would expect not.).

      1. chivo243 Silver badge

        so all the content for the web server is already installed with the app. Glad I've never been asked to use Zoom. I won't be in the future.

        Thanks for the gory details.

    2. Anonymous Coward
      Anonymous Coward

      "Would blocking :19421 at the perimeter be enough? Or would this app shift ports if it couldn't find the mothership?"

      It's a bit confusing at first but if you read carefully you'll see that this has nothing to do with the perimeter. The web server is on the same machine as the browser and client, and the traffic never hits the network at all. This is not a web server that can be contacted from anywhere else, and is not about reaching any mothership, so blocking access to this (or another) port won't have any effect. In any case the appropriate mitigation is described in the article.

      All that said, my advice would be to remove Zoom, apply the fix described to also remove the web server, and place Zoom and the people behind it on the list of people whose products you'll never use because they've shown reckless disregard for your safety. As a general best practice unrelated to Zoom, you should keep an opaque lens cap/slider/etc, if equipped, or black tape over any camera when not in use.

      1. vaporland

        Install Little Snitch

        You'd be amazed how chatty your MacOS is.

        I never heard of Zoom, but Little Snitch would definitely be one way to stop Zoom cold.

  4. Not Enough Coffee

    but everyone else is doing it

    Typical immature response.

    I'm guessing Zoom mentions this web server in the typically lengthy license agreement? I'd want to have an option during installation to include it in the setup or not.

    1. Cris E

      Re: but everyone else is doing it

      That's the next obvious question: who else is doing this? El Reg didn't choose to pursue that line of questioning in such a target-rich interview, but it might make a fine follow-up.

  5. davenewman

    So how does it work on Linux? I checked - I don't have anything running on port 19421.

    1. bob, mon!
      Linux

      On my machine Zoom doesn't start automatically, I have to go through the start menu, and enter the meeting ID number.

      Which I'm quite content to do. "Convenience", what a lame excuse for insecurity.

      1. chuBb.

        Your talking about mac users here, they are pretty attached to the it just works attitude, plus with the terrible mice that come with macs one less click is a good thing probably.

        All told very dumb workaround to keep the it just works of a mac going

  6. Pascal Monett Silver badge

    "to avoid this extra click"

    I've said it before and I'll say it again : Humanity will not die in the fire of a nuclear holocaust or an Armageddon from asteroid, it will die of convenience.

    1. itzumee

      Re: "to avoid this extra click"

      "I've said it before and I'll say it again : Humanity will not die in the fire of a nuclear holocaust or an Armageddon from asteroid, it will die of convenience."

      Now that's a ripe theme for a Black Mirror episode

    2. Anonymous Coward
      Anonymous Coward

      Re: "to avoid this extra click"

      Two things can be true: humanity will die from the convenience of starting a nuclear holocaust.

      Admittedly, only if the asteroid doesn't turn up first.

  7. Anonymous Coward
    Anonymous Coward

    Limited use

    I've used it twice, and I removed its client immediately afterwards.

    Personally, I found getting WebRTC to work to take a bit of effort the first time (mainly to do with figuring out where the permission settings were in Chromium), but the solutions I use now were worth the trouble - nothing I like better than services that are as close to natively supported as possible.

    I am wary of extra software and plugins etc etc - you never know who they're from and where they've been - plus Zoom is a US outfit, and we know just how keen that nation's intelligence services are on "assistance" from its locals to, er, "widen their view".

  8. mevets

    Too bad.

    Zoom is a really good conference facility. I was recently using it in meetings with > 20 live feeds, and it worked like a champ. It seems to be “software's doom” that useful stuff gets waylaid by crappy UX designers....

    1. Paul Crawford Silver badge

      Re: Too bad.

      Looking at it another way - it can't possibly suck as much as Cisco's WebEx...

    2. RobMo

      Re: Too bad.

      Useful? I found it to be utterly shambolic. We work with a vendor who uses it and the experience is terrible when they arrange a meeting using zoom. Actually makes Skype for Business look good and that’s saying something.

      1. JohnFen Silver badge

        Re: Too bad.

        I use Zoom, Skype for Business, and WebEx regularly at work. They are all frustrating and problematic, each in their own special way. Between the three, though, my experience is that Zoom brings the least pain with it.

        The problems with these applications are such that I really try to avoid using any of them whenever I can get away with it. Unless screen-sharing is required, none of them are better than the old-fashioned POTS conference call.

  9. Anonymous South African Coward Silver badge

    zooming in on masturbating users...

  10. Muscleguy Silver badge

    Hmmmm

    I signed up with Zoom when I clicked to be reminded of a webinar. It never reminded me. Some service. I don't seem to have it installed and did not give permission to install anything (I'm not that incautious). If it had started automatically and joined me in I would have been annoyed and sought the cause as I have autoplay disabled.

  11. Anonymous Coward
    Anonymous Coward

    Anyone know if ~/ringcentralopener/RingCentralOpener.app (installed by RingCentral for macOS) does the same naughty things as the app in ~/zoomus/ ?

    1. stevebp

      It wouldn't matter if it did as RC is so buggy it rarely works on my MacOS, doesn't integrate with O365/4/3 (whatever value we're up to at this stage of the year) and Mojave. RC is my org's corporate UC tool. The sound quality on Skype is crap but I prefer it's integration qualities

  12. chuBb.

    Why, when websockets exist???

    Honestly makes me wonder how zoom can know enough to get WebRTC to work, but dont understand how websockets work??

    Maybe its some mac specific security (blanket) feature im unaware of, but i would have thought a more graceful and less problematic way of acheiving this would be to have the zoom link hit zooms servers, read the client ip of the incoming request, look up the client id against registered agents possibly with an additional unique id to handle nat behind routers, and fire start meeting request at the agent.... ya know like how RPC has worked for over 20+ years just with a new fangled transport

  13. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019