Major Zoom Security Flaw Could Hijack Mac Cameras

George Herman
George Herman
IT Security Expert

Get a FREE scan to check for problems

Some infections like this virus can regenerate themselves. There is no better way to detect, remediate and prevent malware infection, than to use a professional anti-malware software like SpyHunter. One Application that is capable of solving all MAC problems.

Anti-Malware

SpyHunter Anti-Malware FREE 15-day trial available.

The security researcher Jonathan Leitschuh has just publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. The expert has demonstrated that any website can open up a video-enabled call on a Mac via the Zoom app installed. What makes that possible is the fact that the Zoom application installs a web server on Macs which accepts requests regular browsers wouldn’t. So, if you uninstall Zoom, that web server persists and can reinstall Zoom without your permission.

Jonathan Leitschuh also explains how he responsibly disclosed the vulnerability to Zoom back in March, giving the company 90 days to solve the issue. Unfortunately, according to Leitschuh’s account, Zoom has not done enough to resolve the problem so far. Besides, the security flaw was also disclosed to Chromium and Mozilla teams, however, as it’s not an issue with their browsers, there’s not much those companies can do.

In this case, turning on your camera is bad enough, however, the existence of the web server on their computers could cause even more significant issues for Mac users. For instance, in an older version of Zoom, it was possible to enact a denial of service attack on Macs by constantly pinging the web server:

By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS,” Jonathan Leitschuh writes.

What you can do is to “patch” the camera problem yourself by ensuring the Mac app has been updated and also to disable the setting allowing Zoom to turn your camera on when joining a meeting.

However, uninstalling Zoom won’t fix the issue, as that web server persists on your Mac, and turning off the web server requires running some terminal commands, which can be found here.

A statement of Zoom says that the company developed the local web server to save the user some clicks, after Apple changed its Safari web browser in a way that requires Zoom users to confirm that they want to launch Zoom each time.

Zoom claims that the “workaround” is a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”

In addition, the company states that it will change the app in one small way: starting in July, Zoom will save users’ and administrators’ preferences for whether video will be turned on, or not, when they first join a call.

Considering the above-mentioned, it looks like Zoom has no intentions to drastically change how its app behaves on Macs to avoid getting sucked into an unwanted call, though, it will instead rely on users to turn their cameras off by default.

Photo Credits: The Verge

Leave a Reply

Your email address will not be published.