Last week, video conferencing app Zoom had to make a major change to its service to fix a frightening webcam vulnerability. But new evidence disclosed by security researcher Karan Lyons shows that other conferencing apps like RingCentral and Zhumu are susceptible to the same issue.
This means that, if you’ve installed either of the two apps, a malicious website could potentially embed a meeting link that — upon visiting — would automatically open up a video conference that turns your webcam on.
RingCentral, in response, has issued an emergency patch (v7.0.151508.0712), while urging users to not click on meeting links from unknown sources.
RingCentral (and Zhumu, and likely all of Zoom’s white labels) are vulnerable to another, slightly different, RCE. They are not automatically removed by Apple.
CVE-2019-13576 & CVE-2019-13586
— Karan Lyons (@karanlyons) July 15, 2019
Earlier last week, a disclosure by security researcher Jonathan Leitschuh revealed how Zoom installed a secret local web server on Mac devices — with an intent to save an extra click — but left users vulnerable by making it possible for an attacker to hijack their webcams.
To fix the flaw, Zoom released a patch that got rid of the local web server from Macs. In an unusual move, even Apple stepped in to remove the hidden server via an automatic update, noting it took the step “to protect users from the risks posed by the exposed web server.”
Leitschuh, in an update to his Medium post on July 9, had previously stated the vulnerability affected RingCentral as well.
“As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system,” Leitschuh said.
The incident highlights the issues that could stem from using white-labeled software. Although it’s much easier to license already available solutions, the problem is that if the provider has a flaw, every other company that reuses it suffers from the same security defect.
This makes it absolutely critical that vulnerability fixes are patched, distributed, adopted and installed in time.
Update on July 17, 9:30 AM IST: The Verge reports that Apple has deployed another silent security update to remove web servers installed by RingCentral and Zhumu. Like the update pushed last week, this one does not require any user interaction to install.