Continue Reading Below
Software engineer Jonathan Leitschuh wrote a blog post about an issue he claims he found in the Mac version of the Zoom app that could allow someone to force someone else to join a video call.
Leitschuh identified a line of code he said an attacker could embed in a website to cause any Zoom user to instantly connect to a call with their video running. Also, he alleged an “incredibly sketchy” feature allows Zoom to reinstall itself on a computer it had previously been installed on “without any user interaction.”
The issue is related to a feature that allows a host to decide whether call participants’ video will be on or off when they connect, as well as another which allows a call host to send participants a link that opens Zoom to the call, according to Leitschuh.
“I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely,” he wrote. “Come to find out, it really hadn’t been implemented securely.”
In a response to Leitschuh’s findings, the company said it had “no indication” a Zoom user had ever unintentionally joined a meeting.
Zoom said its users have control over their own camera and microphone settings.
“To be clear, the host or any other participant cannot override a user’s video and audio settings to, for example, turn their camera on,” the company said, adding that it takes security concerns related to its products "very seriously."
Leitschuh claimed the vulnerability could still be exploited, despite saying he alerted Zoom to the vulnerability in March. He said the company “failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner.”
"Once this particular issue was brought to our Security team’s attention, we responded within 1 hour, gathering additional details, and proceeded to perform a risk assessment. Our Security and Engineering teams engaged the researcher and were in frequent contact over a period of several weeks," Zoom added.
Zoom said its security and engineering teams were in contact with Leitschuh, but they disagreed about the severity of the issue. An upcoming update will involve saving a user’s video preferences from their first Zoom meeting and applying them to all future calls. Users will be able to change their settings to turn off video when joining future meetings, the company said.
Shares in Zoom Video Communications Inc. dipped Tuesday after Leitschuh released his report. Zoom held its IPO in April, and its share price was still up by more than 30 percent from its Nasdaq debut.
|ZM||ZOOM VIDEO COMMUNICATIONS INC||65.05||-1.03||-1.56%|
In June, Zoom reported Q1 revenue of $122 million, which it said was up 103 percent year-over-year. Company leaders said they expected total revenue between $535 million and $540 million for the year.