SecureMac, Inc.

Checklist 145: Zooming on Through

July 11, 2019

On this edition of The Checklist: A look at the Zoom for Mac vulnerability, OpenID raises questions over Sign in with Apple, and The UK issues some big GDPR fine.

Checklist 145: Zooming on Through

This week, a video calling bug dials up up a host of excuses before a fix finally appears, the OpenID Foundation has a bone to pick with Apple, and we start seeing more real-world consequences of GDPR violations in Europe — will they make a difference? Let’s sneak a peek at our list to round up the topics we’ll cover for you, which include:

  • Zooming Around a Vulnerability
  • Raising Questions About Sign-In with Apple
  • The UK Hands Down Hefty GDPR Fines

If you’re ready to delve into the details of another Checklist, so are we! Let’s find out what you need to know this week. Unfortunately, it was a rough and rocky start for video conferencing app Zoom — here’s what went down. 

Zooming Around a Vulnerability

Zoom, one of the most popular pieces of software for video chatting and conference calls around, might not seem like the kind of thing that would represent a potential vulnerability. As it turns out, it was hanging onto a nasty exploit that could’ve been turned against practically any Zoom user, and it specifically affected those who installed the software on their Mac. CNET was one of the first to break the story with a description of the way the exploit worked before the release of a fix. Security researcher Jonathan Leitschuh went into greater detail as well.

The issue concerns one of Zoom’s core features, the “click to join” option that allows users to quickly and instantly jump right into a video call with other users in a virtually seamless operation. As convenient as it might have been, it was also a crack in the software’s security armor. According to a post made by security researcher Jonathan Leitschuh, the way “click to join” worked could set users up for a nasty surprise. 

According to Leitschuh, a malicious attacker looking to cause some chaos could create a webpage that would automatically trigger the “click to join” feature for an invalid call — over and over again, ultimately turning the attack into a denial of service. With the site continually trying to trigger calls that didn’t exist, your Mac might slow to a crawl or even become unusable. Worse still, uninstalling Zoom wouldn’t help matters. Leitschuh says that’s because, during the software’s initial installation, it drops its own web server onto your Mac — and that server can re-download and reinstall Zoom without any interaction on your part.

Hold up — hit the brakes. How could that be possible? We’ll answer that, but first, let’s start with a quick look at what web servers are since that’s fundamental to understanding what’s happening here.

Although you might think of a “server” as a standalone machine, that’s not necessarily true. A web server is really just a software application that provides access to web pages, handles URLs, and manages a few other connectivity-related tasks. It’s normal to have multiple severs doing various things on your computer, providing you with useful services in the background. It seems Zoom did something similar, creating its own client-side server to handle the Zoom software’s special URLs and to install updates automatically. 

How could Zoom do that without users knowing about it? Well, it’s not exactly nefarious — a lot of apps install their own web servers, and it’s often because you’ve given the developers implicit permission by installing the software in the first place. According to Leitschuh, though, Zoom’s is particularly sticky, and even users who’ve long since uninstalled the software likely have the server hanging around. All it would take to reinstall Zoom would be to visit one of those aforementioned malicious webpages, and an attacker could make your afternoon very annoying.  

The good news — that’s no longer true, and the average Mac users is now completely safe from these concerns, even if you are or once were a Zoom user. We’ll get to why that is in a moment, but let’s continue tracing the evolution of this story, because Zoom put on a clinic on how not to respond to a problem. When word first broke, the company’s response was to double down, saying on their official blog:

Zoom installs a local web server on Mac devices running the Zoom client… This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.

In other words, “We don’t like the way Apple has things set up, so we worked around it instead.” Zoom went on to claim that they could not remove the web server. Twenty-four hours of bad press later, though, their story changed, and they announced that a patch to more fully address the potential exploit that could turn on webcams, and to remove the web server itself would be forthcoming. 

While it’s understandable that the product engineers would want to create a good user experience, they broke a lot of rules along the way to get there — and when someone pointed out that breaking those rules wasn’t a good idea, their response left something to be desired. In fact, Zoom continued to insist that they had no easy way to fix the problem even on the same day in which they later released a fix. We just don’t buy the idea that they created software they couldn’t fix.

There’s good news, though: you don’t need to do anything to remove the problematic web server, because Apple has swooped in on its own. The Cupertino company said that an automatic update already pushed out to all Macs removed the web server. So that’s nice, right?

Raising Questions About Sign-In with Apple

Remember Sign-In with Apple, the new log-in procedure similar to those Facebook and Google sign-in buttons you see everywhere? If you remember our discussion from a couple of weeks ago, you might recall that our very own August Trometer gave it a ringing endorsement as a security “win.” It turns out, though, not everyone feels that way — and the concept is taking some fire from the OpenID Foundation. Before we get into their complaints, who are the OpenID Foundation? We’ll let them state it in their own words, as you can find on their official website, OpenID.net:

The OpenID Foundation is a non-profit international standardization organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

To be more specific, the OpenID platform that the Foundation operates is an open source standard for securely authenticating logins without the need for a central organizer overseeing all that activity. 

Overall, it’s a cool idea; with OpenID, you don’t have to rely on anyone for login security; you can use any number of third-party services, or you can even set it up yourself if you have a website. In other words, you get to choose where your login authentication happens (more or less), rather than strictly relying on the website or company you’re working with to do it — which, as we all know, can lead to data breaches. 

So, what’s the beef with Sign In with Apple? A quick reminder: Apple’s take on the problem is to say, “Let us handle that,” creating anonymized emails and passwords when you log in to third-party sites to obscure your actual details and keep them out of the databases that could end up stolen one day. Apple says it’s the better option because the anonymized emails remove most of the ability to track you, and it has 2-factor authentication available, and — in theory — Apple isn’t using any of that information to market to you. 

In the end, both OpenID and Apple are working towards the same thing here, so what’s the problem? It comes down to the proprietary nature of Apple’s plan — that is, the fact that the company itself will handle all the infrastructure. In an open letter to the company, the OpenID Foundation noted that Sign In with Apple already implemented many of the tenets of its own suggested framework, but that it still featured differences that would create a less accessible experience for users. Apple should modify its plans, they said, to maximize compatibility with the OpenID Connect platforms for a better user experience and to reduce the “burden” on developers who would need to support both options.

Is the burden really that large? Maybe, maybe not — it’s a matter of perspective, really, in terms of whether or not a developer would want to do that. In truth, the differences that are there aren’t that big, and where they do exist, it seems likely that they were left out simply because they do not align with Apple’s own goals. OpenID, for example, believes users should be able to access their own identity history; Apple wants to eliminate identity tracking, so collecting all your logins together simply doesn’t make sense.

Also, the OpenID Foundation board is largely populated by Apple’s competitors — so of course, they would have a vested interested in maintaining their own slice of the pie. 

For its part, the Foundation listed four things they’d like to see Apple do, including improving interchangeability and, oh yeah, joining the Foundation themselves. Seem likely? We’ll see. If Apple actually responds to the criticism, we’ll be sure to bring you an update here on The Checklist. 

The UK Hands Down Hefty GDPR Fines

Europe’s General Data Protection Regulation, or GDPR, went into force last year — and now every website asks you about cookies. That’s probably how most people know about it, though we did an in-depth episode on what the law meant for digital privacy and security last year; that’s Episode 90 if you want to hit the archives to check it out.

As part of the GDPR, every EU country was required to set up data privacy commissions that would oversee the regulations within their borders. These agencies were empowered to levy some significant fines against violators as a way to give the law some real teeth and to hopefully force a change. Now we’re finally starting to see those fines come about, and some of the biggest ones ever are coming out of the UK.

According to TechCrunch, the Information Commissioner for the UK first announced a huge penalty for British Airways after more than half a million customers had their data stolen in a breach of the airline’s online booking systems last year. The price tag? The equivalent of about $230 million (£183 million), or 1.5% of the company’s gross annual revenues — one of the highest types of fines allowed under the GDPR. Prior to that, a £500,000 fine was the largest ever issued in the UK. That honor was, of course, Facebook’s.

Hey, remember our stories about the Marriott data breach we did near the end of last year? They got fined, too, after losing 30 million highly detailed records on hotel guests with properties the company acquired in a deal some years ago. They got slapped with a fine of £99 million, or about $124 million. While Marriott inherited the issues, regulators said they failed to do their own due diligence to secure their systems, and thus are liable for the breaches.

Ultimately, that money isn’t going to individuals, but into the government treasury once the fines are paid; what happens to it after that is anyone’s guess. Nonetheless, it’s nice to see some real consequences for these actions — let’s hope the trend keeps up, and not only that but that it changes corporate attitudes towards privacy and security

Get the latest security news and deals