Did you know that your Macintosh webcam could have been hijacked? A serious security flaw in the Zoom video conferencing application joined Mac users to video calls without their permission.
“A vulnerability in the MacZoom client allowed malicious websites to enable Mac cameras without users’ permissions. This is a serious flaw that was thankfully discovered by Jonathan Leitschuh,” says Cyber security professional Alek Pirkhalo from Infiniwiz, a Chicago IT services company.
Jonathan Leitschuh, a US-based security researcher, reported this serious zero-day vulnerability. It allowed any website to forcibly join someone to a Zoom call, and activate their video camera.
Plus, he said that the vulnerability lets any webpage cause a Denial of Service (DOS) by repeatedly joining the Mac user to an invalid call.
Even if the user uninstalled the Zoom application from their Mac, it could be re-installed remotely.
What Should Mac Users Do?
To fix this particular issue, Leitschuh advised that Mac users with the Zoom application installed, update it to the latest version of Zoom and then check the box in settings to “Turn off my video when joining a meeting.”
Nick Allo, IT professional with Semtech IT in Orlando, FL mentions “a computer webcam is always a potential a gateway for security intrusion. This is why some users put a piece of tape over their webcam just in case.”
Zoom Has Since Patched The Vulnerability
The vulnerability has been patched; however, the flaw could have exposed up to 750,000 organizations around the world that use Zoom.
Leitschuh said that the Zoom vulnerability was originally disclosed on March 26, 2019, and that a “quick fix” from Zoom could have been implemented to change their server logic. However, it took them 10 days to confirm the vulnerability. And, it wasn’t until June 11, 2019, that Zoom held their first meeting about how to patch the vulnerability. This was only 18 days before the required 90-day public disclosure deadline.
He said that he contacted Zoom on March 26, giving them the public disclosure deadline of 90 days. Zoom patched the issue, so a webpage couldn’t automatically turn on a webcam, but this partial fix regressed on July 7th, allowing webcams to once again be turned on without permission.
What Was Zoom’s Response?
“Zoom installs a local web server on Mac devices running the Zoom client…This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless one-click-to-join meetings, which is our key product differentiator.”
Zoom also reported that they had no record of a Denials of Service or this type of weakness being exploited. They said that they fixed the security flaw back in May.