Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. This security flaw allows different websites to take over your Mac camera without your permission.
When you install the Zoom app on your Mac, it also installs a web server, which “accepts requests regular browsers wouldn’t,” as detailed by The Verge. And that’s the webserver that causing this vulnerability.
Essentially, the Zoom web server is running as a background process. Thus, any website is able to “forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” If you simply click a link, you’ll automatically join a Zoom conference call with your camera-enabled, even if you didn’t installed the Zoom app on your Mac.
The problem becomes worst that this webserver can be re-installed automatically if you have ever installed the Zoom webserver on your machines and then uninstalled it. The localhost server on your machines can install the web server automatically without your permission. And this makes this more vulnerable for the Mac.
Leitschuh first disclosed the vulnerability to Zoom back in March. His post on Medium read that this vulnerability was fixed at one point since then, but just after a month, this vulnerability started to work again. The regression was fixed today, but Leitschuh discovered a workaround.
According to Leitschuh, Zoom lacks “sufficient auto-update capabilities,” that means, there are many users out there who have been using the older version of the app that is still vulnerable to this threat.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
It is a very serious threat for Mac users and should be avoided at utmost. To protect yourself from this vulnerability, just move into the Zoom settings window and enable the “Turn off my video when joining a meeting” setting. You can also run a series of Terminal commands to uninstall the web server completely, and those commands can be found at the bottom of Leitschuh’s Medium post.
You can get more details of this vulnerability on the Medium post.
For the latest tech news and updates, Install TechnoCodex App and follow us on Facebook and Twitter. Also, if you like our efforts, consider sharing this story with your friends, this will encourage us to bring more exciting updates for you.