The Zoom video conferencing app contains a security error that allows websites to take over a camera on a Mac. The error was discovered by security guard Jonathan Leitschuh.
The Zoom app appears to install a web server on Macs that accepts requests that are not accepted by regular browsers. If Zoom is uninstalled, the web server will remain present. Zoom can even be reinstalled without the user having to do anything.
Automatically added to video call
Leitschuh shared a demo of the vulnerability. The Verge tried that demo themselves and confirmed that it does work.
To enable the vulnerability, a malicious user needs to get a user who has ever installed Zoom and has not enabled a certain checkmark in the settings to click on a link. The user is then automatically added to a video call and the camera turns on automatically.
The automatically installed web server may have even greater consequences. For example, an older version of Zoom – which has already been pitted – made it possible to carry out a DoS attack on a Mac computer by constantly pinging the web server.
Leitschuh himself states that he reported the vulnerability to Zoom in March. He gave the company ninety days to solve the problem before he made it public. According to the security researcher, Zoom didn’t solve the problem.
Zoom says to The Verge that it developed the local web server to make users click less. They did this because Apple Safari changed the way Zoom users have to confirm every time they want to launch the app.
According to the company itself, the web server is a legitimate solution for a poor user experience, giving our users seamless, one-click-to-join meetings, which is the most important element that sets us apart.
Zoom says it will give the app a small change from this month on. The preferences of users and administrators about whether the camera automatically turns on or not when they join a call will be saved from now on.
For users, the only solution is to turn off the setting that automatically turns the camera on. It is also recommended to download the latest version of the app.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.