Contents

Deep Dives

Zoom Webcam Hijacking — Are Your Users Vulnerable?

Fritz Ifert-Miller

On July 8th, Jonathan Leitschuh published a vulnerability report for the popular teleconferencing application Zoom:

“This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”

With ¾ of a million companies relying on Zoom to conduct video meetings, the number of vulnerable individuals is staggering. If your organization currently uses Zoom, you may be stuck wondering which of your users are affected.

Thankfully, Kolide provides a clear path towards identifying unsafely configured devices and remediating the issue.

Update 7/9/19 5:30PM:

The Zoom team pushed changes to the client (in response to overwhelming pressure from the community) which removes the local webserver feature of the Zoom app and permits normal uninstallation:

Current Release

July 9, 2019 Version 4.4.53932.0709 Download Type: Prompted Download here: Download Center

General Features

Option to uninstall Zoom Zoom users can now uninstall the Zoom application and all of its components through the settings menu.

Resolved Issues

Removal of the local web server Zoom will be discontinuing the use of a local web server on Mac and will be completely removed from the Zoom installation.

What do I need to look for?

There are two main components of this vulnerability:

  1. A persistent listening port that allows a meeting to be auto-joined by serving a malicious URL in an i-frame.

  2. Your web-camera is activated by default when joining the meeting.

Kolide conveniently provides a list of all listening ports and the respective processes that are utilizing them via our Inventory feature.

Below we can see a gif filtering down to check whether the Zoom process is listening on port 19421, and we see it is on 2 of our devices:

Next, we can check for who has their camera disabled by default.

This setting can be configured in Zoom by following these steps:

  1. Click on Preferences
  2. Go to the Video Tab
  3. Ensure the checkbox: “Turn off my video when joining a meeting” is checked.

How is this preference value stored?

Zoom stores this and several other preferences in a sqlite DB located at:

~/Library/Application Support/zoom.us/data/zoomus.db

There is a value in the zoom_kv table which encodes some of the various preference settings as a string:

sqlite3 ~/Library/Application\ Support/zoom.us/data/zoomus.db "SELECT value from zoom_kv where key = 'com.zoom.pt.settings.general';"

304878224

That string can be converted from base-10 to binary:

100 1 0001011000001001010010000

If you count to the 26th position starting from the right

1 = Disable Camera by Default
0 = Enable Camera by Default

Kolide looks for this setting as part of our Vulnerable Apps Check. When it finds devices that do not have the checkbox checked, it automatically fires off a notification to your end user via Slack with information about the vulnerability, and instructions on how to protect themselves from being a victim of the exploit.

Share this story:

More articles you
might enjoy:

Tutorials
How to Find and Fix CVE-2020–0601 Using Osquery and Kolide
Fritz Ifert-Miller
Tutorials
How to Find a Mac's Manufacture Date Using Osquery
Fritz Ifert-Miller
Tutorials
How to Deal With Dates and Times in Osquery
Fritz Ifert-Miller
Try Kolide Free
Try Kolide Free