Update: Apple is pushing a new security update to remove these webservers too.
The Mac webcam hijack flaw discovered in the Zoom video conference app is also present in RingCentral and Zhumu.
The evidence also suggests that the same vulnerability will exist in other Mac video conferencing apps …
Apple pushed a silent security update to macOS to remove the local webserver installed by Zoom, but it does not remove those installed by RingCentral and Zhumu.
Security researcher Jonathan Leitschuh, who discovered the issue in Zoom, speculated that the Mac webcam hijack vulnerability was likely present in RingCentral too. Fellow researcher Karan Lyons has now confirmed this.
As TNW notes, this is because both apps use the same underlying code.
A ‘white label’ app is essentially a complete copy of an established app, but rebranded for a client company. It has a different name and may have a slightly different user interface, but because the core code is the same, it will generally have the same vulnerabilities as the original.
As Lyons notes, Zhumu is not the only white label version of Zoom, so there are likely other Mac videoconferencing apps out there with the same flaw.
The problem is that the apps create a local webserver which runs in the background, and persists even after the app itself is removed. If you click on a weblink (which may be disguised as a link to something innocuous), it activates your webcam and joins you to the video conference.
Apple’s update only removes the webserver created by Zoom itself.
RingCentral has issued an emergency patch.
There’s no known patch as yet for the Mac webcam hijack flaw in Zhumu. However, Lyons has provided a set of three Terminal commands which will kill and remove the webservers, and prevent them being reinstalled.
Users will be prompted to download RingCentral Meetings MacOS app v7.0.151508.0712.
All users that have installed RingCentral Meetings on MacOS should accept the update. Please ensure that all RingCentral Meetings MacOS versions prior to v7.0.151508.0712 are removed.
RingCentral is continuing to work on addressing the General Concern related to “Video ON Concern” for additional platforms. We will continue to provide updates.
Lyons notes that while Apple’s own update addresses Safari, things get more complicated if you use Chrome or Firefix as your default browser.
These three commands do the same thing for the three most popular white labels of Zoom (Zoom, RingCentral, and Zhumu). They remove the web server if it exists at the hidden directory , and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.
rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill “ZoomOpener” rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill “RingCentralOpener” rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill “ZhumuOpener”
She provides instructions for dealing with these browsers.
Physical webcam covers are looking like an increasingly smart idea.
Photo: iMore