A security researcher has found a flaw in the popular video conferencing app Zoom that could be used to turn on the camera on a Macintosh computer without a user's permission.
The vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without a user's permission,
explained Jonathan Leitschuh in a post published Monday on Medium.
Leitschuh is a senior software engineer at Gradle, an open source software project based in San Francisco. His article demonstrates how to embed code into a website so that any Zoom users who land there will be connected instantly to a Zoom meeting with their video cameras running.
The code could be used in a malicious ad or in a phishing campaign, he wrote.
Hosts or participants cannot override a user's audio and video settings, Farley wrote. That includes turning a camera on or off.
It would be difficult for rogue users to hide their participation in a meeting, Farley maintained.
"Because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately," he wrote.
Zoom had not seen a single instance of the Leitschuh vulnerability being exploited in the wild, wrote Farley.
Nevertheless, in the next Zoom upgrade, users will be able to apply settings they used for their first Zoom session to all future sessions automatically, he noted.
Target on Zoom's Back
Leitschuh also found that the vulnerability he discovered could be used to launch a denial-of-service attack on an individual machine. It would enable the sending of repeated meeting requests to a Mac, which eventually would lock it up.
"We have no indication that this ever happened," Farley wrote.
However, he acknowledged that the company released a fix for the problem in May, though Zoom did not force its users to update because it was empirically a low-risk vulnerability.
Leitschuh was critical of Zoom's installation of Web server code to enable its client to update and install new versions of itself. That code remains on a machine even if Zoom is uninstalled from a computer.
"Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom," he wrote.
Leitschuh isn't alone in his criticism of Zoom.
"Leaving a server running even after uninstallation is unacceptable," said Martin Hron, a security researcher at
Avast, headquartered in Prague, the Czech Republic. Avast makes security software, including antivirus programs for the Mac.
Working Around Poor UX
The Web server with limited functionality was a workaround to accommodate changes made in Safari 12, Farley explained. Those changes required users to confirm they wanted to launch the Zoom client every time they joined a meeting. The local Web server allows users to join meetings directly without going through that step.
"We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings," Farley wrote.
"We are not alone among video-conferencing providers in implementing this solution," he added.
There is no easy way to remove both the Zoom client and Web server app on a Mac once the Zoom client is launched, Farley acknowledged, but he added that a new app to uninstall both files is expected by this weekend.
Until that time, users should deactivate the setting that turns on the camera upon joining a meeting, as well as disallow a browser from automatically opening the Zoom app for Zoom links, Avast's Hron told TechNewsWorld.
The vulnerability could be bad news for Mac users of Zoom, who number more than 4 million, according to Leitschuh.
"Even though most Zoom users are in the enterprise, they are still consumers, and this vulnerability could result in a privacy nightmare if their work computers are used at home or for personal reasons," Hron said.
"Any website can turn on the Zoom client with the video feed enabled, which essentially could turn a casual browsing session into a serious invasion of privacy in the home," he explained.
Having your camera and audio enabled on your Mac without your knowledge can create a number of scenarios with bad outcomes, suggested Greg Young, vice president for Cybersecurity at Trend Micro, a cybersecurity solutions provider headquartered in Tokyo.
"One of those outcomes could be the use of the captured video or screenshots for blackmail," he told TechNewsWorld.
"Another is when entering credit card information online, we all hold the card up in front of us in view of the camera, and usually flip it over at least once," Young said.
Businesses should be worried too, noted Adam Kujawa, lab director at
Malwarebytes, a Santa Clara, California-based maker of an antimalware software for Microsoft Windows, macOS, Android and iOS.
"If anything said and shown on the camera can be spied on, that can be mighty dangerous for a company with a lot of IP to hide," he told TechNewsWorld.
Hard to Weaponize, Easy to Exploit
The flaw would be difficult for cybercriminals to weaponize in any effective form, Kujawa said, but the ease of exploitation would invite mischief.
"Just send out a convincing email with a link that points to a localhost server and wait for users to click," he observed, "or share it on social media."
It's the practice in the industry to give a software maker 90 days to fix flaws found by bug hunters.
"Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard," Leitschuh wrote. "The four-plus million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service."
John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.