
Zoom fixes major Mac webcam security flaw with emergency patch - azernik
https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-patch-vulnerability-emergency-fix-web-server-remove
======
akersten
Stories like this are wonderful evidence of the effectiveness of public
disclosure of security vulnerabilities, and are always heartwarming to see.
Remember, 90-day disclosure windows are just a _courtesy_.

~~~
Sahhaese
This is why I consider bug bounty programs problematic, because they've been
co-opted from a system to manage responsible disclosure to a system to contain
and manage non-disclosure.

~~~
vorpalhex
Bug bounty programs can be great tools to help reward researchers, secure
products and help align new and amateur researchers who may not have ever
reported a bug before to standards.

But like all things, they can also be used to keep software insecure, hide
issues, and instead buy off researchers.

------
eeeeeeeeeeeee
Glad to see the company is changing course, but I’m not sure it would have
happened without the public shaming. I want companies to fix things because
something is insecure and it endangers the public, not because they have their
feet to the fire.

I know companies don’t always respond right the first time, I know I haven’t,
but Zoom had over 90 days to consider their responses and possible options /
software changes. Instead, they were dismissive of the entire thing and only
changed course after loud public pressure.

~~~
crazysim
What's scary is that they have a bounty program but it comes with a gag catch.

~~~
Phlarp
Most corporate bounty programs are going to include an NDA and following their
release schedule. No corporate legal department is going to sign off on a
bounty program that would both pay third parties for bugs and allow outside
researchers to unilaterally decide when to disclose the bug to a wider
audience.

~~~
rvp-x
They weren't going to fix it without the bug being made public.

~~~
rossng
This seems par for the course for their support. I tried to report that their
signup form automatically, silently deletes spaces from your password (!?).
After a painful process of trying to explain the issue, it was summarily
ignored.

They didn't really seem to understand that it was a bug.

~~~
beobab
Is noisily deleting passwords acceptable in your eyes?

(i.e. "Your password contains spaces, which is disallowed by our policy.
Please try again.")

~~~
rossng
It's annoying in either case. Passwords should be any string I want! You're
just going to hash it anyway.

I found it particularly egregious that Zoom's form auto-trims any spaces from
the end of the string - so they are deleted as you type with no feedback
(unless you happen to be watching the dots flicker).

~~~
iguy
Does it matter? I mean is there another way of entering this string which
preserves the spaces, or is deleting them just part of the hash function?

~~~
rossng
Yes, you can paste a string with internal spaces. I guess you can also disable
JS and type whatever you want. Passwords with spaces work absolutely fine, too
- it's just the signup form that is broken.

~~~
Faark
They probably had to many people accidentally copy-pasting strings with spaces
into the form. Like the good old "double click to select a word" also picking
up the space after the word.

The reason I can empathize with your complain is it being highly unlikely they
are able to keep those restrictions consistent across all password forms &
login methods.

------
tracker1
Tech executive changes stance after very public embarrassment that could
impact their bottom line. If they didn't get the backlash, they would have
kept their course.

There's not really much "willing to accept responsibility" here as far as I'm
concerned.

~~~
PunksATawnyFill
Exactly. My company is actively shopping for a conferencing tool, and Zoom
just ensured that it's eliminated.

~~~
ajna91
Anger is certainly justified, but it should give way to reconciliation once
the offending party truly repents.

Do we want a world of people who change their ways, even if for somewhat
impure reasons, or a world in which no one ever does because it's pointless?

~~~
irq
They haven’t repented yet, though. Read their response.

~~~
bscphil
I don't understand, is there something specific you're referring to? From the
article it looks like they're even removing the local web server.

------
vinay_ys
Let us be clear. Running a local helper agent that accepts properly formatted
requests (includes authn/authz) to provide a valid expected functionality is a
perfectly valid architectural choice for a full-fledged desktop computer and
we shouldn't throw out this capability.

The mistakes I see here are:

\- UX Dark Patterns – making uninstall hard/duplicitous

\- Helper process having security vulnerability - unauthenticated requests,
providing unnecessary privileged operations like update/reinstall etc.

\- Providing the control of participant video on/off to meeting host

\- Not acknowledging the mistakes quickly and fixing them fast. Being
defensive and using 'others do it too' excuse.

Also, in an internal fight for resources/prioritization and just plain
philosophical alignment between security vulnerabilities vs UX funnel
optimization (reduce number of clicks), in a company like Zoom, I am not at
all surprised that UX side own always and security side lost and it took
public pressure the shift the balance. Anyone here who has been in this
situation knows what I'm talking about.

Unless the cost equation changes, it is hard to get business users to change
their priority – from their perspective, they didn't understand what the heck
their internal security guy was talking about. It would have been one
person/security-team who they normally don't interact with. So why will they
listen to that guy over the UX Product guy who they interact with daily, who
they see as the one who built the hockey stick growth in their customer NPS
scores and that guy wasn't happy about adding the extra click back.

So, only workable answer I see is public outrage like this (still not very
scalable or consistent) and better yet, legal protections/regulations that
make it extremely expensive for companies to ignore this stuff.

~~~
colechristensen
Helper agents are dark patterns.

Unless installing an always running service on my device is directly related
to the intended functionality of your software, setting one up is unwelcome
and deceptive. Especially when it is done to work around existing security
controls.

~~~
vinay_ys
I disagree with declaring all helper agents as dark patterns.

From a regular user point of view, it would be acceptable to have a helper
agent as long as it follows:

\- platform provided background process methodology (example: launchd could
launch your process when you hit the socket),

\- and it is made clearly apparent that such a thing is installed on your
system (say, via system preferences panel, via status bar icon menu, and via
in-app preferences panel),

\- and it does cleanly uninstall as part of a simple standard regular
uninstall.

And from a technical/security point of view, it would be acceptable if it:

\- has minimal necessary privileges and proper separation of concerns.

\- and does only what it needs to provide a user-expected functionality and
doesn't do random egregious things.

\- has secure ways to allow only expected/authorized caller to talk to it.

\- does not violate any platform guidelines or tries to circumvent
protections.

~~~
LaGrange
> From a regular user point of view, it would be acceptable

It would be not, stop pretending acquiring consent from a statistical model
counts as acquiring consent from the actual user.

Thing you wrote may make it acceptable for you, but certainly ain't sufficient
for me.

~~~
vinay_ys
> It would be not, stop pretending acquiring consent from a statistical model
> counts as acquiring consent from the actual user.

I don't know what you are referring to here. Care to elaborate?

> Thing you wrote may make it acceptable for you, but certainly ain't
> sufficient for me.

This isn't about individual taste. Nothing I wrote above was about my personal
taste. My point was about differentiating between the OS provided valid
architectural mechanisms vs surreptitious dark patterns applied on top of it
by an application developer.

~~~
LaGrange
I don't know what you are referring to here. Care to elaborate?

You make assumptions about individual user's consent from whatever bulk
experiences you might have measured. Either that, or you didn't even measure
anything and therefore you're just making things up about what's "acceptable."

> This isn't about individual taste.

Who said anything about taste, it's about individual boundaries.

> My point was about differentiating between the OS provided valid
> architectural mechanisms vs surreptitious dark patterns applied on top of it
> by an application developer.

First, that's a word salad. Second, after untangling it, I'm pretty sure you
mean "if there's a mechanism in the OS that enables this then it's okay" in
which case that's even more absurd than the usual "if it's legal then it's
okay." Look, even if you take Zoom's "let's leave a tray icon there when you
thought you quit the app without putting a honking huge notice you just did
that like a decent app usually does" is more about having a way to disawov
("see, we did leave a notification, lol") than actually ethical design. That's
the _essence_ of a dark pattern.

Seriously, though, you're being creepy and advocating pushing people's
boundaries here.

------
notafraudster
Of the main facets of the problem, the vulnerability bothered me less than
their obviously poor attitude towards fixing it in a responsible timeline, and
that bothered me less than the discovery that they were running an always-
active webserver to assist call launches and reinstallation.

Is that a common thing that programs do? Should I be expected to portscan
myself frequently to see if software is unexpectedly running web servers? How
much battery am I losing to this stuff?

~~~
graeme
The verge article mentions it's reasonably common and mentions some programs
that do it.

From the article, a tweet

\--------

They are far from alone, a quick `lsof -i | grep LISTEN` shows that I have:
Spotify, Keybase, KBFS, iTunes, Numi,
[https://t.co/MVSAJgN9yY…](https://t.co/MVSAJgN9yY…) All running locally
listening web servers.

— Matthew Gregg (@braintube) July 9, 2019

~~~
asveikau
Did they just imply that every listening socket is a web server?

~~~
svenfaw
They are mixing apples and oranges indeed.

------
anaphor
This is why full disclosure is so effective. Nothing else works quite like
dropping a full PoC and details of an exploit publicly to light a fire under
their ass to fix it.

~~~
olliej
Well it’s an argument for responsible disclosure - you tell them, give them
plenty of time to fix it, and publish.

But responsible disclosure absolutely does not mean “no disclosure”. It means
give them a chance to fix it. If they choose not to you disclose so that
people know that they need to take steps to protect themselves.

The important thing is that the disclosure _must_ become public. It doesn’t
matter that they pushed an update, as none of the victims who had
deleted/“uninstalled” zoom will get the update, and without the update they’ll
still be running the server.

The only way anyone would know about it is with the details being public.

I’m waiting for Apple to use xprotect to kill the server on all machines, as
that’s the only true solution for the uninstalled victims

~~~
lawnchair_larry
Responsible disclosure doesn’t mean anything. It’s an obsolete term. You’re
referring to coordinated disclosure.

[https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coor...](https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coordinated-
vulnerability-disclosure-bringing-balance-to-the-force/)

~~~
gok
This case is actually a really great demonstration of why this often-repeated
claim is false. This was responsible, but not coordinated, disclosure.

~~~
lifthrasiir
Only in the literal sense. A commonly cited issue on the term "responsible
disclosure" is that the discoverer is responsible for one's action, even
though the action indeed benefits the public. In this viewpoint the vender can
argue that it is not responsible to ignore the vendor, even though the vendor
itself is being unreasonable. The term "coordinated disclosure" is invented to
fix this abuse. You can't literally interpret "responsible" or "coordinated"
without this context.

------
Jedi72
The security flaw isnt even the outrageous part. It was secretly installing
webservers that dont even remove themselves when you uninstall the app that
makes them scum.

~~~
oil25
> It was secretly installing webservers that dont even remove themselves when
> you uninstall the app that makes them scum.

To be fair, dragging an "app" to Trash does not constitute un-installation. It
was a poor design decision to implement features using a local web server, but
let's not be so quick to attribute covert, malicious intentions.

~~~
diegoperini
> To be fair, dragging an "app" to Trash does not constitute un-installation.

Dragging an app to Trash MUST constitute uninstallation. If it doesn't, it is
a bug.

Leaving configuration files in home folder for easier on-boarding after a
reinstall is not the same thing as leaving a self replicating rootkit running
all the time.

> It was a poor design decision to implement features using a local web
> server, but let's not be so quick to attribute covert, malicious intentions.

Zoom, with all its advertised features, works like a charm from the user's
standpoint. It is not that easy to craft such seamless video conferencing apps
which makes me believe the team behind it is formed by really experienced
people. If this assumption is true, "the poor decision" is actually the true
intention and is probably a feature in case zoom needs to install extra
software on my device when their business needs change. It feels more like a
back up plan than a dirty hack.

In my humble opinion, experts ignoring the ethical consequences of such
decision are dangerous to society and their intention can be considered
malicious if not criminal.

I'm sick of seeing the blame always belonging to the business people. Unless
taken hostage and forced to act despite not giving consent, the developer
should be equally responsible. We don't treat murderers, burglars and scammers
the same when they work under a boss.

P.S: I probably strawmanned your answer to express my own opinion. English
isn't my native language, sorry if my words sounded offensive.

~~~
javagram
There are plenty of Mac apps where dragging the app to the trash doesn’t
uninstall them.

Unlike windows which has the add/remove programs control panel there isn’t
really a standardized way to uninstall things on Mac. (I think you can make a
.pkg uninstaller but it’s rare to see that)

I went through the launch agents and launch daemons on my personal computer a
few months ago and found plenty of obsolete stuff that was hanging around even
after I no longer had whatever the associated app was installed.

------
migueltarga
RingCentral Meetings still vulnerable:

lsof -i :19424

[https://www.ringcentral.com/whyringcentral/company/pressrele...](https://www.ringcentral.com/whyringcentral/company/pressreleases/ringcentral-
and-zoom-video-communications-announce-multi-yea.html)

~~~
russb
For those unaware, RingCentral white-labels the zoom.us product as their
meeting solution.

~~~
hnzix
Ironically, RingCentral's convention schwag includes a stick-on laptop lens
shutter.

------
smaili
> But we also recognize and respect the view of others that say they don’t
> want to have an extra process installed on their local machine. So that’s
> why we made the decision to remove that component — despite the fact that
> it’s going to require an extra click from Safari.

Am I reading this correctly, their CIO believes it's the "extra process" that
people are concerned about -- _not_ the webcam vulnerability?

~~~
Bluestrike2
Amusingly enough, they never actually describe that part as a vulnerability in
their blog post. It's a "concern" about a "seamless join process." The word
only gets used with regards to the DOS vulnerability, which is only part of
the problem. I get the need to at least try and spin things, but it's kind of
obvious in this example. And given how people tend to get antsy when they
start thinking about possibly being spied on through their webcams,
downplaying it is probably counterproductive.

------
dangoor
Amusingly enough, the standard menu position for Quit on the Mac is at the
bottom of the menu… _now_ the Uninstall Zoom option is at the bottom of the
menu, making it easy to accidentally invoke if you're used to selecting the
last item there to quit. (I happened to have my hand on the mouse rather than
keyboard at the time… normally I'd just cmd-Q).

~~~
Corrado
Wow, I just checked and you are absolutely correct. How is it this hard for
companies to check the Apple HIG for this type of thing?

------
olliej
This is why no researcher should sign an NDA after to doing volunteer work for
a for-profit Corp.

If the reporter had agreed to the NDA required for the bug bounty, Zoom could
have - and based on their earlier responses, would have - continued to ship
this malware. But now because of the researcher signed an NDA they wouldn’t be
able to inform the at risk public.

~~~
adtac
Will shenanigans like this (declaring a security breach as not a security
breach) be caught and fined under GDPR? According to the regulation, companies
need to declare breaches in under 72 hours without any unduly delay, but Zoom
left this unpatched for months!

~~~
olliej
As a non-lawyer forum commentator I can say with absolute correctness that it
will (or will not) maybe apply.

More seriously: I would guess no, as the GDPR is concerned with data
collection and compromise, but I can’t imagine they store all the video they
forward.

Of course I wouldn’t be surprised if someone sues them in the US (but given
that the US sees companies as people for rights, but not punishment I imagine
that they’ll be fine).

~~~
irq
“Can say”? Did you mean to write “cannot say”?

~~~
baq
it doesn't matter, that's the joke

------
dang
The earlier discussion is at
[https://news.ycombinator.com/item?id=20387298](https://news.ycombinator.com/item?id=20387298).

~~~
azernik
Specifically - OP is just the news that Zoom agreed to make the changes the
security community demanded. Previous discussion is root discussion of the
issue itself and of the Zoom response more generally.

------
kerng
With their incompetent behavior they put a big target on their back now for
security researches. In the end it's good for consumers since more issues will
be found and promptly fixed. So kudos to the reporter!

------
tompic823
What about users who had previously uninstalled the Zoom client? Must they now
reinstall Zoom in order to be able to fully remove it? Surely there are users
that won’t perform the manual update and will remain vulnerable indefinitely.

~~~
jdlshore
Although I agree having an active webserver with dubious security controls is
a problem, the vulnerability as we know it today installs Zoom... and this new
version of Zoom uninstalls the webserver. So it is (or at least could be) a
self-patching vulnerability.

------
diafygi
I'm confused. Does the patch now make it to where if you drag the app to the
trash, it actually uninstalls?

~~~
oil25
A macOS "app" is just a directory with an executable binary and some
convenient helper files for Finder. Dragging it to the trash does not remove
artifacts, such as logs, supporting binaries, even methods of persistence,
which may get placed somewhere else on the filesystem as part of a typical
installation. This is not unique to Zoom or even Apple operating systems.

~~~
yoz-y
One thing I'd like to see (and this is definitely doable on macOS side) is
that if you trash a .app, the OS would automatically revoke all permissions to
it.

If this were done then even with the sneaky reinstalling, the user would be
alerted by a system dialog requesting access to their webcam.

~~~
o-__-o
If you have a ktext kernel driver to implement generic access to video input
subsystems (think v4l) then why exactly would the user be alerted if the
developer didn’t add the feature?

Read: anyone can write a kernel driver for macOS, you are too trusting of your
software vendors. Get a hardware switch

~~~
yoz-y
> anyone can write a kernel driver for macOS

No they can't. With SIP you won't be able to install it if it is not signed
(for kernel extensions only a very few developers have certificates) and in
any case you will be alerted about it. Also there are plans to completely
disallow making kernel extensions in release after Catalina (since they can
now run in userspace, I imagine that userspace will not get access to pre-
installed hardware)

------
yumraj
I wonder if instead of the usual 90-day notice a slightly better approach
would be an initial partial public disclosure of the issue, without divulging
the actual exploit, and the fact that it had been communicated to the company
so that a public countdown of the 90-day window can happen.

The exploit can then be divulged to the public, automatically, on the
expiration of the 90-day window, regardless of whether it's fixed or not, as
that may also be educational.

For example, after this Zoom issue other companies will hesitate to use a
localhost webserver, but if the issue had quietly been fixed by Zoom other
companies may still have been tempted to use similar approach.

~~~
enneff
More often than not announcing the existence of a vulnerability is enough to
motivate people to find it. It’s much easier to find something that you know
is there than to just experiment blindly.

~~~
yumraj
Fair enough, but that can be countered by very minimal disclosure in the
beginning, just that a vulnerability exists and it has been notified.

Even if we don't do that, I think we should at least reveal the issue after
it's been fixed in all the cases so that other entities can learn from that.

------
tablethnuser
I uninstalled this software yesterday and it's not going back on my machine.

I have the same criticisms as others do about a company like Zoom that only
responds to security issues after they wait-and-see if it will impact the
bottom line. And that quick peek behind the curtain where their own employees
view this as a "PR crisis" (their exact words in the article) rather than
something more tells me everything I need to know about their leadership's
DNA. Buyer beware.

------
jbverschoor
This is why I love the appstore and forced sandboxing. I hope adobe will
finally use the appstore for once. Glas that office is using it. No more buggy
updater apps

~~~
latexr
Adobe has been using the App Store for years[1], but not for the Creative
Suite apps.

[1]: [https://apps.apple.com/us/developer/adobe-
inc/id331646274](https://apps.apple.com/us/developer/adobe-inc/id331646274)

~~~
jbverschoor
For iOS because they have no other choice. I’m talking about macOS and their
crapware updater and licensing apps

~~~
latexr
Scroll down. You’ll see they also have apps on the Mac App Store.

------
aarbor989
I could be wrong, but it looks like they are doing a server-side redirect to
their custom zoommtg:// URI protocol now instead of making a call to the
localhost server. Couldn't anyone still drop this on their website and force
you to join through a redirect just as zoom is? I don't see how that
particular concern of the disclosure could be avoided unless browsers force
confirmation, as Safari has done.

~~~
AgloeDreams
MacOS as a whole forces confirmation on deeplinks. The old solution skipped
the OS confirmation dialog.

~~~
aarbor989
Hmm..but I'm not getting a confirmation prompt on Firefox or Chrome? Visiting
a zoom link in either of those browsers takes me directly into the meeting

~~~
javagram
Safari 12 forces the confirmation, not all browsers.

------
code4tee
The Zoom security team has a lot to answer for on this one. They subverted
built in security to only then fall victim to the very thing that would have
been stopped by what they subverted.

Good on Zoom to do a rapid course reversal here although naturally trust is
now damaged given they only came to their senses under strong public pressure.
Also a good case study of how putting “user experience” over security can come
back to burn you.

------
tambourine_man
The more a think about it, the more a I come to the conclusion that we need a
mixed computing paradigm.

For many tasks (probably most and certainly for most people) the iOS model is
the best.

It is, however way too restrictive for a number of use cases. Prohibitively
so.

Imagine two very different and isolated environments. Terminal, compilers,
file managers in one, most other software in the other. With perhaps shared
folders between them.

~~~
ben0x539
And then every clown shop would insist that you install their agent program
inside the trusted partition.

------
gdfiutyer
Does anyone know if this issue (and the BlueJeans one) would only affect the
current user account?

I currently have a separate limited user account just for meetings, and that’s
where I install various meeting apps. So in my case is there any way to know
if it affected all my accounts or just the one?

------
nisten
Yawn... Call me when they actually go through their corporate ladder and fire
everyone who thought this was a good idea in the first place. If those same
managers are in still place, there's no reason for me to ever trust this
software again.

------
pcx
Good to see that they’ve turned around and fixed this issue the right way. I
was gonna stop using Zoom otherwise.

~~~
aaomidi
You should anyway. They had 90 days to do this, they didn't.

Incompetent company. Incompetent management.

~~~
o-__-o
Dat IPO lyfe.

Investors got their money, what’s the problem here?

------
fareesh
Is there any scope for legislation mandating that cameras have a hardware
button to turn off?

------
pluc
Cheat, repeat until caught, then lie.

------
hexo
They should have kept doing guitar effects and not bug others computers. Or
choose not already taken name.

