Response to Video-On Concern
Please visit our Wednesday, July 10 blog post for more recent updates on this matter.
[UPDATE 2:35 pm PT, Tuesday 7/9] The July 9 patch to the Zoom app on Mac devices detailed below is now live. You may see a pop-up in Zoom to update your client, download it at zoom.us/download, or check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.
[UPDATED 1:15 pm PT, Tuesday 7/9] We appreciate the hard work of the security researcher in identifying security concerns on our platform. As a result, we have decided to make the updates to our service. Here are details surrounding tonight’s planned Zoom patch and our scheduled July release this weekend:
JULY 9 PATCH: The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following: 1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device. 2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
PLANNED JULY RELEASE: Additionally, we have a planned release this weekend (July 12) that will address another security concern: video on by default. With this release: 1. First-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. 2. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.
[UPDATED 11:05 am PT, Tuesday 7/9] To be clear, Zoom honors the user’s video settings. If the user has checked the video OFF option in their user setting, the host or any other participant cannot override the user’s video preferences. There is only one scenario where a Zoom user’s video is automatically enabled upon joining a meeting. Two conditions must be met: 1) The meeting creator (host) has set their participants’ video to be on AND 2) The user has not checked the box to turn their video off.
[UPDATED 8:20 am PT, Tuesday 7/9] We do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client. The user needs to manually locate and delete those two apps for now. This was an honest oversight. As such, by this weekend we will introduce a new Uninstaller App for Mac to help the user easily delete both apps.
THE ZOOM VIDEO-ON EXPERIENCE
Video is central to the Zoom experience. Our video-first platform is a key benefit to our users around the world, and our customers have told us that they choose Zoom for our frictionless video communications experience. That said, we know that not all users want their video on, so we provide them with control over their camera and microphone settings. All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF. For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.
To be clear, the host or any other participant cannot override a user’s video and audio settings to, for example, turn their camera on.
This week, a researcher published an article raising concerns about our video experience. His concern is that if an attacker is able to trick a target Zoom user into clicking a web link to the attacker’s Zoom meeting ID URL, the target user could unknowingly join the attacker’s Zoom meeting. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed. Of note, we have no indication that this has ever happened.
In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.
There are two matters also brought up in this inquiry that deserve to be addressed.
First, a local denial of service (DOS) vulnerability for Mac devices. In this vulnerability, a hacker could potentially target a Mac user who already has Zoom installed with an endless loop of meeting join requests, effectively causing the targeted machine to lock up. Again, we have no indication that this ever happened. We released a fix for this in May 2019, though we did not force our users to update because it is empirically a low-risk vulnerability.
Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
Upon his initial communication to Zoom, the researcher asked whether Zoom provides bounties for security vulnerability submissions. Zoom invited the researcher to join our private paid bug bounty program, which he declined because of non-disclosure terms. It is common industry practice to require non-disclosure for private bug bounty programs.
Once the issue was brought to our Security team’s attention, we responded within ten minutes, gathering additional details, and proceeded to perform a risk assessment. Our determination was that both the DOS issue and meeting join with camera on concern were both low risk because, in the case of DOS, no user information was at risk, and in the case of meeting join, users have the ability to choose their camera settings. Our Security and Engineering teams engaged the researcher and were in frequent contact over the subsequent period. This engagement included disagreement about the severity of the meeting join concern. Ultimately, Zoom decided not to change the application functionality, though as mentioned above, we will be saving the user’s desired camera settings after a Zoom user joins their first meeting from a particular device.
We are grateful to this researcher for raising these concerns. We recommend that any other security concerns be sent to our 24/7 support team via support.zoom.us. Currently, this initiates our private bug bounty program, wherein we pay researchers for information on product vulnerabilities based on severity. We acknowledge that our website currently doesn’t provide clear information for reporting security concerns. As such, in the next several weeks, Zoom will go live with its public vulnerability disclosure program, supplementing our existing private bug bounty program. With the program launch, our website will be updated with a web submission form for all security-related concerns.