As Buzzfeed reports, security researcher Karan Lyons published evidence of yet more video conferencing apps that could be maliciously opened with their cameras turned on due to a security flaw. The apps this time are RingCentral and a Chinese app called Zhumu. If you are a Mac user that has ever installed either app and then visited a malicious website, it would be possible for code embedded in an iframe to automatically open up a video conference that turns your webcam on. Both actually use Zoom’s technology behind the scenes — they’re essentially white labels — and so the same issues that afflicted Zoom also affect them.
If you are a user of RingCentral, you should update your app ASAP, as the latest patch includes a fix for this issue. If you are a former user, then you are going to need to do a little more work to check your computer. Like Zoom before it, RingCentral installed a daemon on your computer that listens for remote calls and isn’t removed in a typical uninstall process. Lyons has published fixes for these apps on GitHub, and as before they involve some terminal commands.
With Zoom, Apple ultimately stepped in to issue a global update to Macs to remove Zoom’s extra software — on the day after Zoom itself finally changed its mind and updated its own software to do the same. Apple’s intervention was likely necessary because without it, users who had uninstalled the Zoom app would never have received Zoom’s update that removes the leftover daemon. Lyons says that it’s likely that other white-labeled Zoom apps could have the same problem.
RingCentral (and Zhumu, and likely all of Zoom’s white labels) are vulnerable to another, slightly different, RCE. They are not automatically removed by Apple.
CVE-2019-13576 & CVE-2019-13586
— Karan Lyons (@karanlyons) July 15, 2019
We’ve reached out to Apple to see if it intends to repeat itself and issue updates for RingCentral and Zhumu. Speaking to Buzzfeed, a RingCentral spokesperson said that the company has “taken immediate steps to mitigate these vulnerabilities for any customers who could be affected,” but that to the company’s knowledge the security flaw hasn’t been exploited in the wild.