A new vulnerability has been found for the Zoom video conference app on the Mac. In a post on Medium, Jonathan Leitschuh, a security researcher, outlined the flaw which could let websites take over one’s Mac’s camera.
When one installs the Zoom app on Mac, it automatically installs a web server that accepts requests that other servers won’t, as reported by The Verge. As per reports, it is this web server that is causing such vulnerability.
Reportedly, the web server runs in the background process. Therefore, any website is able to forcibly join a user to the Zoom call, with their video camera automatically activated, without the user’s consent. If one just clicks a link, the user will be automatically made to join a Zoom conference call with the enabled camera, even if the user no longer has the Zoom app.
Additionally, if a user has ever installed the Zoom client and then uninstalled it later, that user will still have a localhost web server on the machine that will happily re-install it. And hold on! The server would not even ask for user interaction on your behalf, besides visiting a webpage.
Leitschuh first discovered the vulnerability to Zoom back in March. A timeline from Medium post explains that the vulnerability was fastened at one purpose since then, but that a regression this month caused the vulnerability to work again. The regression was fastened these days, however, Leitschuh discovered a workaround. For many, Zoom lacks sufficient auto-update capabilities, which also redirects to the fact that many users still keep running the older versions.
If you are wondering how to get out of this ‘re-install loop’, here’s a solution for you. Simply go to the Zoom settings and enable the “Turn off my video when joining a meeting” setting. In order to uninstall the web server completely, one can also run a series of Terminal commands.