Zoom’s scary webcam flaw also affects RingCentral and Zhumu
Last week, video conferencing app Zoom had to make a major change to its service to fix a frightening webcam vulnerability. ButÂ new evidence disclosed by security researcher Karan Lyons shows that other conferencing apps like RingCentral and Zhumu are susceptible to the same issue.
This means that, if youâve installed either of the two apps, a malicious website could potentially embed a meeting link that â upon visiting â would automatically open up a video conference that turns your webcam on.
RingCentral, in response, has issued an emergency patch (v7.0.151508.0712), while urging users to not click on meeting links from unknown sources.
Both RingCentral and Zhumu are powered by Zoom, with the former used by over 350,000 organizations. Zhumu, on the other hand, is essentially a Chinese version of the app, which Zoom bought in 2013.
RingCentral (and Zhumu, and likely all of Zoomâs white labels) are vulnerable to another, slightly different, RCE. They are not automatically removed by Apple.
CVE-2019-13576 & CVE-2019-13586
Follow these instructions to protect yourself: https://t.co/FVkyBM1efB pic.twitter.com/c66hvGb1wm
â Karan Lyons (@karanlyons) July 15, 2019
Earlier last week, a disclosure by security researcher Jonathan Leitschuh revealed how Zoom installed a secret local web server on Mac devices â with an intent to save an extra click â but left users vulnerable by making it possible for an attacker to hijack their webcams.
To fix the flaw, Zoom released a patch that got rid of the local web server from Macs. In an unusual move, even Apple stepped in to remove the hidden server via an automatic update, noting it took the step âto protect users from the risks posed by the exposed web server.â
Leitschuh, in an update to his Medium post on July 9, had previously stated the vulnerability affected RingCentral as well.
âAs far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system,â Leitschuh said.
The incident highlights the issues that could stem from using white-labeled software. Although itâs much easier to license already available solutions, the problem is that if the provider has a flaw, every other company that reuses it suffers from the same flaw.
ThisÂ makes it absolutely critical that vulnerability fixes are patched, distributed, adopted and installed in time.