Jonathan Leitschuh, a security researcher, found a dangerous vulnerability in Zoom, a video conferencing client used by many workplaces. Anyone who has the Zoom app, even if you uninstalled it, was vulnerable. Basically, a simple link could automatically open your camera on. This was so you could follow a link to join a conference call, but also so a remote person, like your boss, could automatically activate your camera during a conference call. Why they’d need to do that is your own guess.
Leitschuh disclosed the vulnerability to Zoom when he discovered it, in March. Now, over 90 days later, he informed the public of the security flaw. Unsurprisingly, Zoom finally found the time to fix it, just a few days after the public became aware. Strange coincidence!
But Zoom wasn’t the only app with the problem, and it reflects a problem with America’s obsession of dedicating every moment of our lives to work. We value being “on” all the time so highly, we give control of cameras inside our own homes to our bosses.
Basically, it’s a corporate form of 1984.
Relentless Zoom
Zoom didn’t just make their app so you could log in and start a video conference call with a click. They also set up a web server to take the request, bypassing any security in your browser. Usually your browser will warn you if you’re clicking a link that will run code in another app. However, Zoom got around this. The link you click doesn’t actually open the Zoom app. Instead, it tells Zoom’s servers to send a request to a server they secretly set up on your machine. This webserver sits, waiting for requests, and, once it gets one, it activates Zoom and your webcam. Already deleted Zoom? Too bad, it’ll reinstall it. Getting multiple fraudulent requests at once? Your machine will just become useless until you can take it offline.
This could work for any request, even one not from Zoom. Essentially, this opens a backdoor into your machine’s camera.
https://twitter.com/mathowie/status/1148391109824921600
Setting up a server on someone’s machine like this is pretty common. But not in the software industry. This is how botnets frequently operate. This is what hackers do. They infect your computer, create a backdoor, and allow them to execute code on your machine using requests sent from elsewhere. Zoom’s software basically turned your computer into a machine in a botnet, with the intent of turning on your camera without your permission.
It’s as though they simply bought some hacker’s code and sold it to businesses to force on their employees. If you were trying to launder harmful software and make millions doing it, this is exactly what you’d do.
Zoom’s Response
Zoom initially defended it as a “workaround,” which, when you’re working around security measures, we typically call a “hack.” They’ve stated it’s a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
I’ll let you be the judge of their legitimacy.
Zoom Flaw Patched
Apple was first to patch Zoom’s flaw, upon learning about it. Zoom patched it themselves a day later. Today, Apple issued another update, patching similar vulnerabilities created by RingCentral and Zhumu, two competing video conferencing apps that used the same backdoor technology as Zoom. Zoom has also announced that they are abandoning their server plans, and won’t make your machine run their server software at all times, if you can still feel like you can trust them.
Apple was quick to fix the problem. Zoom and others were slower.
No Choice
Here’s the really lousy part. If you had Zoom on your computer, it was likely because your office made you do so. They couldn’t just have you use Slack or Skype for video calls, they wanted you using Zoom, the one that gave them more control over your machine. So do you trust Zoom after all this? Probably not. But unless you’re in charge of the deals your company makes for software, you’re probably going to have to keep using it, at least until any contracts your company may have with Zoom expire. Hopefully your managers will let you switch to something else before then, but likely only if it’s free.
Zoom advertises an always connected workforce. They just didn’t say who you’d be connecting to.