Overview of the Zoom Zero-Day Vulnerability
Zoom’s video conferencing software experienced a major security issue in 2019 when a zero-day vulnerability was discovered that allowed attackers to hijack users’ webcams. This zero-day flaw was very concerning, as Zoom has become widely used for remote work and education during the COVID-19 pandemic. The vulnerability allowed an attacker to forcibly join a Zoom meeting and view participants’ webcams without their knowledge or consent. This was possible due to Zoom’s use of a local web server on users’ computers that lacked proper authentication.
How the Zoom Zero-Day Vulnerability Worked
The Zoom webcam hijacking flaw stemmed from the local web server Zoom installs on users’ computers. This web server runs in the background and handles video and other communications functions when joining Zoom meetings.
Unfortunately, Zoom failed to properly authenticate users to this local web server. Attackers could target the web server on a victim’s computer and forcibly join meetings as an active participant with full access to audio and video. Even if the meeting was password protected, the attacker could spy on the meeting and view webcam feeds.
The attack simply required knowing the meeting ID of any Zoom call. Meeting IDs are often guessable or accessible online as many users share them publicly. So attackers could easily find valid meeting IDs to target.
Real-World Webcam Hijacking Incidents
This wasn’t just a theoretical vulnerability. There were real-world examples of attackers exploiting the Zoom zero-day flaw:
-
A security researcher demonstrated hijacking a friend’s Zoom meeting to spy on their webcam video without consent. This highlighted how easily exploitable the flaw was.
-
Vice News reporters had a Zoom call hijacked by a complete stranger who exposed himself and hurled racial epithets. This shocking incident drew major public attention to the Zoom vulnerability.
-
Many other Zoom users reported unknown individuals crashing and disrupting their video meetings in disturbing ways. This created panic about Zoom’s security practices.
Zoom’s Delayed Response and Eventual Fix
Zoom was widely criticized for its slow response in patching the webcam hijacking vulnerability:
-
The flaw was initially reported to Zoom in late March 2019, but it took the company nearly 3 weeks to address it.
-
Zoom finally issued a patch on April 2, 2019 that required users to update to Zoom version 4.4.53832.0205 or later.
-
However, it wasn’t until version 4.6.0 released on July 15, 2019 that Zoom fully resolved the issue by requiring password authentication for the local web server by default.
-
During those delays, many users were left exposed to potential webcam hijacking by attackers leveraging the then-unpatched zero-day.
Lessons Learned from the Zoom Zero-Day Saga
The Zoom webcam hijacking vulnerability offers some important lessons for the security community:
-
Rapidly patching zero-days is essential – Zoom’s slow response put many users at risk unnecessarily. Companies must act swiftly when flaws are reported.
-
Local web servers can introduce risks – Local web servers on client devices should be carefully locked down as they can provide attack vectors into systems.
-
Authentication matters – The flaw highlighted how critical proper authentication is, even for components running locally on user devices.
-
Scrutinize rapidly growing apps – Zoom’s meteoric pandemic growth likely contributed to this issue. Security must keep pace as new apps gain adoption.
While an embarrassing and damaging episode for Zoom, public exposure of the vulnerability led to increased scrutiny and pressure that ultimately improved Zoom’s security practices for the better. However, users must remain cautious as new zero-day flaws are sure to be discovered in the future.
