Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking

Security Vulnerability in Video Conferencing App Zoom Allows Websites to Hack Into your Mac’s Camera

Security Vulnerability in Video Conferencing App Zoom Allows Websites to Hack Into your Mac’s Camera

He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed.

Millions of people use Zoom's corporate video conferencing apps. The good news, though, is that there are solutions (one is seriously hard, though), and Zoom seems to be fixing it all soon. Users should update the client; manual downloads can be found here.

"The July 9 patch to the Zoom app on Mac devices detailed below is now live", Zoom noted in the latest blog update on its webpage.

This slow response has been noticed by security experts, who also slammed the firm for its decision about the uninstall option.

This local server left users vulnerable even after they had uninstalled the Zoom client.

Yuan also said his company took "full ownership and we've learned a great deal" from the saga that began when security researcher Jonathan Leitschuh contacted the company in March.

Leitschuh shared this tip in his post revealing the flaw.

Presenting Bentley's Most Daring Concept Ever: The EXP 100 GT
Bentley says the EXP 100 GT concept can hit 60 miles per hour in 2.5 seconds on the way to a top speed of 186 miles per hour . The Bentley Personal Assistant is located in the illuminated Cumbria Crystal center piece and control center.

On Tuesday, Zoom defended the use of the server, saying to ZDNet in a statement that it was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator".

Farley says "the consensus seems to be we'd rather have our users have to make an extra click to join a meeting than have this extra piece of code listening in on a port on a Mac".

Ultimately, the voice of users and security professionals led to Zoom deciding that the risks outweighed convenience factor provided by the local web server.

The problem here is that going through the normal procedure of removing Zoom will not remove the phantom web server that remains on your Mac, which again means that if you've ever installed Zoom on your computer, you're technically still running it, regardless of whether you can see any signs of it or not.

On Tuesday, Zoom said tonight's update will remove the local web server to secure the system and do away with the use of these servers moving forward.

Oh, and a victim doesn't even need to even be tricked into opening a web page. It's used by 750,000 companies around the world to conduct their business, including such big names as Nasdaq, the U.S. Centers for Disease Control and Prevention, the U.S. Department of Homeland Security, and the U.S. Department of Energy.

When cybersecurity lets you down, the best solution is to always cover yourself physically; and in this case, covering your webcam physically. Leitschuh pointed out in his blog that it's possible to ambush call someone and force the recipient's camera to be turned on via settings in Zoom's call interface. The first is an audio-only version; the second link, which includes "iframe" in the URL, starts a call with video active.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.