Fallout from Zoom's massive webcam vulnerability continues. A report published today shows security researcher Karan Lyons that the same error – which gave the attackers easy access to portable cameras and microphones – affects RingCentral, which is used by over 350,000 businesses, as well as Zhumu, in Chinese version of Zoom.
Both RingCentral and Zhumu license Zoom & # 39; s technology. Lyons explained: "If a salad producer has an E. coli outbreak, anyone reselling lettuce under myriad brands in stores or using salad in their sandwiches will now also have vulnerable customers."
"White labeling is quite common practice in this industry and others, and while it has its advantages, it is one of the disadvantages that if a white label vendor has a problem, all repackaging of the product now also," lyons added. to.
RingCentral released an update for users of the company's MacOS app. The company encourages all customers to accept the update (v7.0.1
Jyotsana Grover, a RingCentral spokesperson, said, "We recently learned from video-on vulnerabilities in the RingCentral Meetings software and we have taken immediate steps to reduce these vulnerabilities for all customers who may be affected." that the company is not aware of any customers affected by the error.
On July 10, Apple released a silent automatic update for Mac, removing the hidden Zoom web server and protecting users from the vulnerability. The update does not remove the Web server installed by RingCentral or Zhumu's desktop apps. Apple and Zhumu did not immediately respond to BuzzFeed News & # 39; comment comment.
Do you have information or tips? Contact this reporter at email@example.com or use encrypted chat service Signal on 415-943-0446 . You can also send an encrypted email using the PGP key found here.
The error can be exploited using a zoom function called "Auto-Join." Zoom users can click on a unique link to automatically attend a meeting. The link will ask for the Zoom app to open and enter the user into the meeting. Security researcher Jonathan Leitschuh discovered that a short line of code – an iframe – embedded on a site can also force Zoom users into a meeting without any user action. Once the office iframe is fully loaded, the Zoom desktop application opens automatically, and the victim is put in a meeting with (depending on the settings) their microphone and video camera turned on – all without any action from them.
 It is due to a new program, called a local host web server, designed to run constantly in the background, and is automatically installed along with Zoom's desktop application. The server "listens" for the iframe module or clicks the auto-connect link to request the Zoom desktop application to open. The server was designed as a "solution" for a security change in Safari 12, which requires users to accept launch. Zoom before each meeting, a Zoom spokesman said.
On July 9, Zoom released a patch that removes the local Web server from Macs when the Zoom desktop application is updated, and allows users to manually uninstall Zoom, which also removes the web server. Previously, the web server was not uninstalled by deleting the Zoom desktop application.