Zoom security vulnerability could let sites hijack your Mac’s webcam

Video conferencing app Zoom has a major security issue that could allow anyone to target your webcam by adding you to a video call without your permission.

It’s a serious flaw in the Skype competitor, which could let anyone access your camera simply by sending you a link to a video conference. It would be easy for a website to trick you into clicking on a Zoom link by hiding the option in an image or through a pop up window, activating your webcam without you even realising.

Related: Best VPN

The four million Zoom users who have installed the Zoom app for Mac, including the 750,000 companies that use Zoom to conduct day-to-day business, are susceptible to the issue.

Deleting the app doesn’t resolve the problem, either. When you install the Zoom app, a web server is also installed to automatically accept meeting requests when you click on a link. It is designed to make entering video calls a seamless experience. However, this means that the app doesn’t pause to ask permission to access your camera when you enter a call – a feature that malicious websites could easily take advantage of.

Even if you uninstall the app, this web server doesn’t go anywhere, meaning that Zoom can reinstall the app for you whenever it wants without your consent, leaving you back at square one.

The issue was initially discovered by security researcher Jonathan Leitschuh in March. Leitschuh contacted Zoom directly, explaining the problems he’d found and suggesting a quick fix solution – disable the option that allows callers to automatically turn on video for everyone – Zoom could implement while it worked on resolving the issue.

During the 90-day public disclosure period, Leitschuh sent a tweet to Zoom warning it that he was about to go public with the information. Zoom argued that it does “not see video on by default as a security vulnerability”.

Hello Jonathan, thanks for looking into this! As a video first solution we do not see video on by default as a security vulnerability, we allow users to set their own desired video preferences. Details on how users can configure this can be found here: https://t.co/Yr1mjUIWaE

— Zoom (@zoom_us) July 8, 2019

However, the issue is not that there is a video by default setting. The issue is that this setting is controlled by whoever initiates the call. Zoom’s video conference settings allow the caller to switch ‘Participants’ video to ‘On’ when starting a call, meaning that anyone who clicks on the link will automatically find their webcam turned on.

Zoom has dragged its feet to fix the security flaw, holding the first meeting to address it on June 11 (18 days before the 90-day public disclosure deadline) and then finally implementing Leitschuh’s quick fix solution on June 24 rather than offering a permanent solution of its own.

Related: Best free VPN

The webcam issue reappeared on July 7 but – according to the timeline on Leitschuh’s post – Zoom managed to fix it again on July 8.

There is no mention of a permanent solution as of yet. Zoom has claimed that it will begin saving individual user preferences for whether video will be turned on or off when they join a call from this month, but this will do little to help those who choose to keep their video turned on by default.

This also won’t solve the web server issue but you can visit the Medium post to follow Leitschuh’s own suggestions for uninstalling the web server.