Security researcher Jonathan Leitschuh on Tuesday disclosed a serious zero-day vulnerability in the Zoom video conferencing app for the Mac that can allow a website to hijack the webcam on a Mac.
In a post on Medium, Leitschuh showed how simply visiting a malicious website allows the site to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. In addition, the vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
If a user has ever installed the Zoom client and then uninstalled it, the Mac still has a localhost web server that will re-install the Zoom client, without requiring any user interaction besides visiting a webpage.
Leitschuh says he told Zoom about the vulnerability in late March, allowing the company 90 days to fix the vulnerability. However, the researcher says the flaw remains in the app to this day.
Zoom defended its use of a local web server on Macs to ZDNet, saying it was a “workaround” to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
Until Zoom finally does something about the vulnerability, Mac users can take steps to protect themselves against the vulnerability by disabling the setting that allows Zoom to turn on the Mac camera when joining a meeting.
At the end of Leitschuh’s Medium post users will find a series of Terminal commands that will kill and delete the offending web server.
