Last week a pretty serious bug was revealed in Zoom’s video conference app — a “feature” that could allow websites to forcibly join users to Zoom calls without their knowledge or consent. To make matters worse, due to the way Zoom was installed on macOS, it would be possible for this flaw to be exploited even by those users who thought they had completely removed the Zoom app.
While Zoom originally defended its behaviour as important for a seamless user experience by minimizing the number of clicks and confirmations required to join a video call, the company eventually relented and patched the specific flaw while also backpedaling on some of the more hidden background features that allowed the flaw to be exploited in the first place.
Unfortunately, while that seems to close the book on the issue in the actual Zoom app, the saga isn’t quite over yet, as security researcher Karan Lyons reports
Zoom Isn’t the Only App That Uses Zoom’s Technology
The problem is that Zoom’s technology is used in at least two other video calling products: RingCentral and Zhumu (basically a licensed Chinese version of Zoom).
It’s possible that there are other “white label” implementations of Zoom that also contain the same flaw as well, since Zoom licenses its technology to a variety of third-party apps.
As reported by BuzzFeed News, RingCentral is used by over 350,000 businesses. It’s unclear how many users Zhumu has, or what other products may also be using Zoom’s technology. As Lyons notes, it’s a fairly standard practice to license key software technologies to other developers — a process known as “white labelling” — but the downside of course is that if the original provider has an issue with its code, every developer that repackages that product is going to have the same issue.
If a lettuce producer has an E. coli outbreak, everyone who resells that lettuce under myriad brands in stores, or uses that lettuce in their sandwiches now also has vulnerable customers.Karan Lyons, Security Researcher
How to Make Sure You’re Safe
For its part, RingCentral has released an update for its macOS app, urging all customers to install the update which patches the specific flaw, and removes the hidden web server — the same hidden component that plagued the original Zoom app. However, like the Zoom app, former RingCentral users who have uninstalled the app will still have the web server lying around. The simplest solution for this would seem to be to reinstall RingCentral, apply the patch, and then uninstall it, although Lyons has offered a more technical fix for those who would prefer to eradicate the RingCentral/Zoom web server without having to reinstall the app.
More critically, however, Zhumu has not released any patch for the security flaw, nor offered any comment on the issue. The fix posted by Lyons will handle the removal of Zhumu’s hidden components, but users should also uninstall the app entirely until the company releases its own patch.
Note that Apple also released a system update for macOS that eliminated the problem with the original Zoom app, however this update does not remove the repackaged versions of Zoom’s technology found in RingCentral, Zhumu, and others, since each app uses its own name for the Zoom components (for example, the original Zoom is in a hidden directory named “.zoomus” while RingCentral users a hidden directory named “.ringcentralopener” and Zhumu uses “.zhumuopener”).
A RingCentral spokesperson acknowledged the flaw in its software and said that the company took “immediate steps” to address the issue, adding that it’s not aware of any customers impacted by the flaw. Zhumu has not responded to requests for comment, and it’s unclear what other white label versions of Zoom might still be at large that have not been identified as of yet, so users concerned about the possibility of being spied on may want to ensure that they’ve removed any video conferencing apps that they may have installed from lesser-known software companies, and it can’t hurt to cover your webcam too if you want to play it safe.