‘Zoom’ app on Mac exposes users to having their webcam hijacked

How hackers could hijack the camera on your Mac: Major security flaw in Zoom conferencing app lets people join video calls without needing permission

  • Security researcher says the Zoom video conferencing app on Macs is insecure
  • Clicking on a browser link takes you directly to a video meeting in Zoom’s app
  • Any website can open a video-enabled call on a Mac with the Zoom app installed
  • Jonathan Leitschuh says that allows websites to join you to a call by activating your webcam without permission

A security researcher has warned Mac users of a security flaw in the Zoom video-conferencing app leaving people at risk of being hijacked.

Zoom is most notable for its click-to-join feature, where clicking on a browser link takes you directly to a video meeting in Zoom’s app. 

Expert Jonathan Leitschuh said there was a ‘serious zero-day vulnerability’ for the Zoom video conferencing app on Macs. 

In a blog post, Mr Leitschuh discovered that Zoom achieves insecurely, allowing websites to join you to a call by activating your webcam without permission.

Scroll down for video 

A security researcher has warned Mac users of a security flaw in the Zoom video-conferencing app leaving people at risk of being hijacked. Zoom is most notable for its click-to-join feature, where clicking on a browser link takes you directly to a video meeting in Zoom’s app

HOW TO UNINSTALL ZOOM COMPLETELY 

If you’ve ever installed the Zoom client and then uninstalled it, you still have a local host web server on your machine 

According to Mr Leitschuh, this will re-install the Zoom client for you.

It will not require any user interaction on your behalf besides visiting a webpage. 

This re-install ‘feature’ continues to work to this day.

In your video menu settings, click turn off my video when joining a meeting.

This vulnerability comes from the Zoom feature which allows you to send anyone a meeting link and when they open that link in their browser their Zoom client open automatically on their local machine.

The researcher says he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days. 

He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. 

That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t, the post said.

According to the Verge, uninstalling the Zoom app from your Mac isn’t enough to fix the problem, either. 

If you uninstall Zoom, that web server persists and can reinstall Zoom without your guidance.

The publication confirmed that the vulnerability works — clicking a link if you have previously installed the Zoom app will automatically join users to a conference call with your camera on.  

‘If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you without requiring any user interaction on your behalf besides visiting a webpage,’ he wrote.

‘This re-install ‘feature’ continues to work to this day.”

The flaw is said to be partly due to a web server the Zoom app installs on Macs that ‘accepts requests regular browsers wouldn’t.’ 

Zoom independently confirmed the vulnerability.  

The researcher says he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days. He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed

Expert Jonathan Leitschuh said there is a ‘serious zero-day vulnerability’ for the Zoom video conferencing app on Macs. In a blog post, Mr Leitschuh discovered that Zoom achieves insecurely, allowing websites to join you to a call by activating your webcam without permission

‘Zoom installs a local web server on Mac devices running the Zoom client,’ the firm said in a statement to the Verge.

‘This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. 

‘The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. 

‘We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.’

Eoin Keary, CEO and co-founder of edgescan, told MailOnline: ‘A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner. 

‘This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline.

‘What’s unfortunate, invasive and a violation of trust is when the software seems “ uninstalled” but really isn’t. 

‘This is a breach of transparency and exposes individuals who believe they don’t have the software installed to attacks. 

‘Persisting a webserver on a user’s machine whilst giving the impression it’s uninstalled is akin to a malicious threat actor.

‘Its underhanded and breaches trust boundaries. A very poor decision by the folks at Zoom.’

Source: Read Full Article