Zoom 0-Day: How Not to Handle a Vulnerability Report

ShmooCon XVI - 2020

Presented by: Jonathan Leitschuh
Date: Friday January 31, 2020
Time: 17:00 - 17:20
Location: One Track Mind

On July 8th, 2019, a bombshell 0-Day vulnerability was dropped on Zoom Inc. that disclosed how anyone could maliciously join a victim’s Mac to a call with their video camera active simply by visiting a malicious website. Additionally, Zoom left behind a hidden daemon that would re-install the Zoom client after it had been uninstalled. It was later discovered that this “feature” could be abused to allow remote code execution.

In this talk I’ll discuss my communications with Zoom’s security team and the reasoning behind what led to my decision to resort to 0-Day disclosure. Additionally, we’ll walk through the post-disclosure timeline around how this vulnerability went from bad to worse, requiring the Apple security team to step in and use MRT to resolve this vulnerability.

Jonathan Leitschuh

Jonathan Leitschuh (@JLLeitschuh) is a Software Engineer and Security Researcher. He is currently a member of the Gradle Security Team. His company’s software is used to build almost all JVM based Android applications in the world. His research focuses on open source software, build infrastructure, and software supply chain security.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats