A major zero-day vulnerability has been discovered in Zoom, a video conferencing app that is primarily used by businesses. The vulnerability allows any website to access the camera on your Mac without one’s explicit permission while they are on a video call.
The issue stems from the fact that Zoom installs and runs a web server on Macs which allows it to accept requests that regular browsers won’t. Worse, even if you uninstall Zoom from your Mac, the web server will continue to exist and any website can install the Zoom client on it without any kind of user intervention.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
The exploit also allows hackers to use a website to cause a DOS (Denial of Service) attack on a Mac by continuously asking it to join a non-existent video call.
Security researcher Jonathan Leitschuh originally disclosed the vulnerability to Zoom on March 26, 2019, and it included a quick fix from his side as well until the company got around to finding a better solution. Zoom took 10 days to confirm the vulnerability and was very slow to patch it. Even after the 90-day timeline was over, the company has only implemented the quick fix solution as originally suggested by the security researcher.
Since Zoom is used by businesses all over the world for video conferencing, this is a major vulnerability. If you use Zoom on a regular basis, you should update it to the latest version which includes the quick fix patch.
Do not uninstall the app as it won’t solve the issue and would leave your Mac vulnerable to DOS attack. Additionally, you can also disable the option to automatically turn on your camera when you join a Zoom video call.
In a statement to ZDNet, Zoom confirmed that in its July release, it would make some changes to offer a more secure experience.
[Via Medium, ZDNet]
Zoom said in its July release, it would save whether the user turns off video in their first call and apply it to future meetings, with these changes will occur on all its platforms.