Zoom Video Conferencing Vulnerability Lets Websites Switch on Mac Webcams Without Permission

A flaw in the Zoom video conferencing app for Macs could be exploited to allow malicious websites to open up a video call and effectively snoop on unsuspecting folks, reads a new report from The Verge.

This news, disclosed by security researcher Jonathan Leitschuh, shows that even Macs that don’t have Zoom installed anymore — but once did — are vulnerable.

Leitschuh explains that the vulnerability allows any malicious website to forcibly join a Mac user to a Zoom call with the video camera activated. This is possible because of a Web server installed by Zoom on Mac computers. Even after you have uninstalled the application, the Web server remains functional and “can reinstall the Zoom client without requiring any user interaction.”

In the Medium post, Leitschuh writes that the security vulnerability potentially exposes hundreds of thousands of businesses that use Zoom for Mac on a daily basis to exploitation. The flaw is a result of a feature that triggers the Zoom client when a Zoom meeting link is clicked. Unless the user has explicitly configured their Zoom client to disable video upon joining meetings, their video is immediately shared with anyone they are in a call with, including an attacker who has exploited the vulnerability to trigger a video call.

Leitschuh detailed how Zoom users could patch themselves, but at the time of writing it looks like millions of Zoom users could be vulnerable to the exploit, especially as Zoom doesn’t have “sufficient auto-update capabilities” meaning many users could end up being left on outdated versions that are still vulnerable to exploits even is the firm does fully fix the vulnerability.



“Zoom did end up patching this vulnerability, but all they did was prevent the attacker from turning on the user’s video camera. They did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site,” Leitschuh wrote.

In a blog post, Zoom says that there is no indication this vulnerability was ever taken advantage of because if a person did click on a malicious link, it would be readily apparent that a video call started (and thus their webcam was hijacked) because the Zoom client user interface runs in the foreground upon launch.

However, Zoom did say it will release an app update soon, which gives users more control over their video permission settings.