Did you know that your Macintosh webcam could have been hijacked? A serious security flaw in the Zoom video conferencing application joined Mac users to video calls without their permission.

“A vulnerability in the MacZoom client allowed malicious websites to enable Mac cameras without users’ permissions. “This is a serious flaw that Jonathan Leitschuh discovered,” states Alek Pirkhalo, a cybersecurity professional from Infiniwiz, a Chicago-based IT services company.

Jonathan Leitschuh, a US-based security researcher, reported this serious zero-day vulnerability. It allowed any website to forcibly join someone to a Zoom call, and activate their video camera.

Plus, he said that the vulnerability lets any webpage cause a Denial of Service (DOS) by repeatedly joining the Mac user to an invalid call.

Even if the user removed the Zoom application from their Mac, it remained susceptible to remote reinstallation.

What Should Mac Users Do?

To fix this particular issue, Leitschuh advised that Mac users with the Zoom application installed, update it to the latest version of Zoom and then check the box in settings to “Turn off my video when joining a meeting.”

Nick Allo, IT professional with Semtech IT in Orlando, FL mentions “a computer webcam is always a potential a gateway for security intrusion. This is why some users put a piece of tape over their webcam just in case.”

Zoom Has Since Patched The Vulnerability

The vulnerability has received a patch, yet the flaw could have potentially exposed up to 750,000 organizations worldwide that utilize Zoom.

Leitschuh reported that he originally disclosed the Zoom vulnerability on March 26, 2019, and suggested that Zoom could have swiftly implemented a “quick fix” by altering their server logic. However, it took them 10 days to confirm the vulnerability. And, it wasn’t until June 11, 2019, that Zoom held their first meeting about how to patch the vulnerability. This was only 18 days before the required 90-day public disclosure deadline.

He said that he contacted Zoom on March 26, giving them the public disclosure deadline of 90 days. Zoom patched the issue initially, preventing a webpage from automatically activating a webcam. However, on July 7th, this partial fix regressed, enabling webcams to be turned on again without permission.

What Was Zoom’s Response?

“Zoom installs a local web server on Mac devices running the Zoom client…This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting.  The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting.  We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless one-click-to-join meetings, which is our key product differentiator.”

Zoom also reported that they found no record of anyone exploiting a Denial of Service or this type of weakness. They said that they fixed the security flaw back in May.