A new zero-day vulnerability has been described for the Zoom video conference app on Mac. In a post on Medium security researcher Jonathan Leitschuh outlined the error that could let websites take over your Mac's camera.
Sylvania HomeKit Light Strip
When you install the Zoom app on your Mac, it also installs a web server that "accepts requests common browsers would not" as described in The Verge . It is the web server that apparently causes this vulnerability.
Essentially, the Zoom web server runs as a background process. Any website is thus able to "force itself into a user for a Zoom call with their camcorder enabled without the user's permission." If you just click on a link, you will automatically join a Zoom conference call with your camera enabled even if you no longer have the Zoom app installed.
We tested the vulnerability by using a link in Leitschuh's mailbox and were immediately connected to a Zoom conference call with our Mac's camera enabled. One of the most damaging aspects of this vulnerability is that it works even if you have uninstalled the Zoom app:
If you have ever installed the Zoom client and then uninstalled it, you still have a
localhostweb server on your machine that would like to reinstall the Zoom client for you without requiring any user interaction on your behalf besides visiting a web page. This reinstallation & # 39; feature & # 39; continues to work for this day.
Leitschuh first revealed the vulnerability to Zoom back in March. The timeline in the mailbox explains that the vulnerability was fixed at some point since then, but a regression this month caused the vulnerability to work again. The regression was corrected today, but Leitschuh discovered a solution.
In addition, Zoom lacks "adequate auto-update features", according to Leitschuh, which means that users are still running older versions of the app.
So how can you protect yourself? The easiest way is to enter the Zoom Settings window and enable "Turn off my video when I join a meeting" setting. You can also run a series of Terminal commands to completely uninstall the web server, and these commands are found at the bottom of Leitschuh's Medium Post.
More technical details and proof of concept connections can be found on Medium.
This zoom vulnerability is bananas. I tried one of the evidence of conceptual connections and got connected to three other randos and freaked out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
– Matt Haughey (@mathowie) July 9, 2019
Subscribe on 9to5Mac on YouTube for more Apple news: