large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Zoom security vulnerability could let sites hijack your Mac’s webcam

Video conferencing app Zoom has a major security issue that could allow anyone to target your webcam by adding you to a video call without your permission.

It’s a serious flaw in the Skype competitor, which could let anyone access your camera simply by sending you a link to a video conference. It would be easy for a website to trick you into clicking on a Zoom link by hiding the option in an image or through a pop up window, activating your webcam without you even realising.

Related: Best VPN

The four million Zoom users who have installed the Zoom app for Mac, including the 750,000 companies that use Zoom to conduct day-to-day business, are susceptible to the issue.

Deleting the app doesn’t resolve the problem, either. When you install the Zoom app, a web server is also installed to automatically accept meeting requests when you click on a link. It is designed to make entering video calls a seamless experience. However, this means that the app doesn’t pause to ask permission to access your camera when you enter a call – a feature that malicious websites could easily take advantage of.

Even if you uninstall the app, this web server doesn’t go anywhere, meaning that Zoom can reinstall the app for you whenever it wants without your consent, leaving you back at square one.

The issue was initially discovered by security researcher Jonathan Leitschuh in March. Leitschuh contacted Zoom directly, explaining the problems he’d found and suggesting a quick fix solution  disable the option that allows callers to automatically turn on video for everyone  Zoom could implement while it worked on resolving the issue.

During the 90-day public disclosure period, Leitschuh sent a tweet to Zoom warning it that he was about to go public with the information. Zoom argued that it does “not see video on by default as a security vulnerability”.

However, the issue is not that there is a video by default setting. The issue is that this setting is controlled by whoever initiates the call. Zoom’s video conference settings allow the caller to switch ‘Participants’ video to ‘On’ when starting a call, meaning that anyone who clicks on the link will automatically find their webcam turned on.

Zoom has dragged its feet to fix the security flaw, holding the first meeting to address it on June 11 (18 days before the 90-day public disclosure deadline) and then finally implementing Leitschuh’s quick fix solution on June 24 rather than offering a permanent solution of its own.

Related: Best free VPN

The webcam issue reappeared on July 7 but  according to the timeline on Leitschuh’s post  Zoom managed to fix it again on July 8.

There is no mention of a permanent solution as of yet. Zoom has claimed that it will begin saving individual user preferences for whether video will be turned on or off when they join a call from this month, but this will do little to help those who choose to keep their video turned on by default.

This also won’t solve the web server issue but you can visit the Medium post to follow Leitschuh’s own suggestions for uninstalling the web server.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.