• Home
  • Apps
  • Apps News
  • Zoom Vulnerability Could Let Websites Turn on Your Mac's Cameras Without Permission

Zoom Vulnerability Could Let Websites Turn on Your Mac's Cameras Without Permission

Zoom doesn’t seem to be doing much about it.

Share on Facebook Tweet Snapchat Share Reddit Comment
Zoom Vulnerability Could Let Websites Turn on Your Mac's Cameras Without Permission

Photo Credit: Zoom

The vulnerability was originally disclosed to Zoom on March 26

  • Zoom installs a local Web server on Mac
  • Even after deleting the Zoom app, the Web server remains functional
  • Web server can even re-install Zoom client without user interaction

A zero-day vulnerability present in the popular video conferencing app Zoom for Mac computers has come to light. Disclosed by security researcher Jonathan Leitschuh in a Medium post earlier today, the vulnerability allows any malicious website to forcibly join a Mac user to a Zoom call with video camera activated. This is possible because of a Web server installed by Zoom on Mac computers. Even after you have uninstalled the application, the Web server remains functional and “can reinstall the Zoom client without requiring any user interaction.”

In the Medium post, Leitschuh writes that the security vulnerability potentially exposes hundreds of thousands of businesses that use Zoom for Mac on a daily basis to exploitation. The flaw is a result of Zoom feature that triggers the Zoom client when a Zoom meeting link is clicked. Unless the user has explicitly configured their Zoom client to disable video upon joining meetings, their video is immediately shared with anyone they are in a Zoom call with, including an attacker who has exploited the vulnerability to trigger a video call.

According to Leitschuh, the vulnerability could also allow any webpage to DoS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. This is, however, only possible if a person is running an older unpatched version of Zoom, which included another vulnerability.

Leitschuh had disclosed the Mac-related vulnerability to Zoom back in March this year along with a proposed “quick fix”, however he claims that the company took ten days to confirm the existence of the vulnerability and a total of 87 days to fix the issue with the “quick fix” solution.

The quick fix implemented by Zoom doesn't patch the vulnerability completely and there are still workarounds to exploit it.

The company has now stated that it plans to apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings. Thereby allowing them to switch off video by default for all Zoom meetings, however if a user keeps the video option on, they will still be vulnerable to malicious third parties as the company doesn't seem to have any plans to change the Web server or its behaviour.

“Zoom installs a local Web server on Mac devices running the Zoom client. This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting,” Zoom said in a statement on its website. “The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”

Essentially, it is up to the Mac users to turn their cameras off by default to avoid giving other a peek into their lives.

How to patch Zoom on your Mac right now

  • Head over to Zoom client settings on Mac, then select Video.
  • In the Meetings section of Video settings, check the option “Turn off my video when joining a meeting”.

zoom settings mac Zoom settings

Photo Credit: Medium/ Jonathan Leitschuh



For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: Zoom, Zero Day, Apple, Mac, Safari
Gaurav Shukla Gaurav Shukla is a part of the Gadgets 360 news team and based out of New Delhi. Gaurav is responsible for making sure Gadgets 360 news section is updated with the latest happenings from the world of science and technology. When he is not editing or assigning stories, Gaurav writes about mobile devices, science, social media, and the Internet at large. With over 11 years of experience in tech journalism, Gaurav has reported on everything from the first Android phone to reach the Indian market to ...More
Google Pixel 4 XL Leak-Based Renders Show Large Bezels
Spotify Lite App for Android Comes Out of Beta, Brings Data Limit Feature

Related Stories




© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on JioSaavn.com