Security flaw on Zoom app could allow Mac webcams to be hackedhttps://indianexpress.com/article/technology/tech-news-technology/security-flaw-on-zoom-app-could-allow-mac-webcams-to-be-hacked-5822040/

Security flaw on Zoom app could allow Mac webcams to be hacked

According to US-based security researcher Jonathan Leitschuh, the Zoom video conference app can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam.

Zoom video conferencing app for Mac has a vulnerability that can start a video-enabled call on a Mac with the help of a web server. (Representational image: MacBook Pro)

Jonathan Leitschuh, a US-based security researcher on Monday had publicly disclosed a major zero-day vulnerability in the Zoom video conferencing software. Leitschuh had demonstrated that any website can start a video-enabled call through the Zoom software on a Mac with the help of a web server which gets installed by the Zoom app.

According to a report by The Verge, the server accepts the requests which the regular would not. The report further says that even if you uninstall the Zoom software, the server will still remain and it can reinstall Zoom without the user’s choice. As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.

On a Medium post published on Monday, Leitschuh gave a demonstration through a form of a link which after being clicked takes Mac users (currently using/or have used Zoom app before) to a conference room activating their webcams. He notes that this particular code can get embedded to any website and also on malicious ads or a phishing campaign.

Leitschuh further writes that even if Mac users uninstall the Zoom app, the local web server still remains and it will “happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

Advertising

The Verge in its report said that they tried the flaw themselves by using Leitschuh’s demo and were able to confirm that the issue does persist on clicking the link if Mac users have used the Zoom app and have not checked a particular checkbox in settings. The link auto joins the users to a conference call with the web camera on.

 

As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days. According to him, Zoom does not seem to have done enough to resolve the problem. The particular vulnerability was also disclosed to both Chromium and Mozilla teams, however, because it is not an issue with their browsers, there is not much those developers can do about this.

To fix this particular issue, Leitschuh has advised the Mac users having the Zoom app installed to update it to the latest version and then check the box in settings to ‘Turn off my video when joining a meeting,’. He has also provided a series of commands in the Medium post which can disable the local web server and prevent it from reinstalling.

The updated Zoom app only lets users to turn off the video when joining a meeting by clicking the checkbox. (Image source: Medium/Jonathan Leitschuh)

Following the public disclosure, Zoom, in a statement to The Verge and ZDNet, has said that it has developed the local web server in a bid to save the Mac users some clicks, after Apple changed their Safari browser in a way that requires Zoom users to confirm that they want to launch Zoom every single time. The Verge report says that Zoom defended the workaround as a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”

According to the report, Zoom said that it will tweak the app in a minor way: starting in July, the app will save the user’s and administrator’s preferences for whether the video will be turned on, or not, when they first join a call.