Major Zoom Video Security flaw could let websites hijack Mac cameras


Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. This security flaw allows different websites to take over your Mac camera without your permission.

When you install the Zoom app on your Mac, it also installs a web server, which “accepts requests regular browsers wouldn’t,” as detailed by The Verge. And that’s the webserver that causing this vulnerability.

Essentially, the Zoom web server is running as a background process. Thus, any website is able to “forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” If you simply click a link, you’ll automatically join a Zoom conference call with your camera-enabled, even if you didn’t installed the Zoom app on your Mac.

The problem becomes worst that this webserver can be re-installed automatically if you have ever installed the Zoom webserver on your machines and then uninstalled it. The localhost server on your machines can install the web server automatically without your permission. And this makes this more vulnerable for the Mac.

Leitschuh first disclosed the vulnerability to Zoom back in March. His post on Medium read that this vulnerability was fixed at one point since then, but just after a month, this vulnerability started to work again. The regression was fixed today, but Leitschuh discovered a workaround.

According to Leitschuh, Zoom lacks “sufficient auto-update capabilities,” that means, there are many users out there who have been using the older version of the app that is still vulnerable to this threat.

It is a very serious threat for Mac users and should be avoided at utmost. To protect yourself from this vulnerability, just move into the Zoom settings window and enable the “Turn off my video when joining a meeting” setting. You can also run a series of Terminal commands to uninstall the web server completely, and those commands can be found at the bottom of Leitschuh’s Medium post.

You can get more details of this vulnerability on the Medium post.

For the latest tech news and updates, Install TechnoCodex App and follow us on Facebook and TwitterAlso, if you like our efforts, consider sharing this story with your friends, this will encourage us to bring more exciting updates for you.

Get real time updates directly on you device, subscribe now.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More