Zoom teleconferencing software may expose your Mac's camera to hackers

  • Mac users who have previously installed the Zoom teleconferencing app may have left their computer open to intrusion from hackers, but a fix is available.

    Security researcher Jonathan Leitschuh broke the news this week of a serious security flaw in the Zoom teleconferencing app for max that could expose your computer's camera to attackers without permission. Bizarrely, even users who have uninstalled the app are still vulnerable to the attack.

    Zoom has been used in teleconferencing by a large number of people because it's simple to use, allowing you to set it up so that your computer automatically opens the Zoom app and joins the conference when they click on a link to accept the invitation. The problem is that Safari 12 on Mac has a built-in security feature to prevent unauthorised access to the camera, which would require the user to approve camera access every time they join a call.

    This is a standard step in many teleconferencing apps, but Zoom managed to bypass it in a way that is absolutely horrifying the cyber-security industry: By silently installing a secret web-server on your Mac that runs in the background and allows provides local access to your camera at any time and without asking for permission.

    The web-server unfortunately functions similarly to a back-door or a piece of spyware installed on your computer, always running in the background and able to automatically open your Zoom app with full camera permissions. Leitschuh discovered a vulnerability in the web-server that allowed any website to trigger a Zoom meeting and force your Mac to join, and notes that this could also be used to execute a Denial of Service attack on a specific computer.

    The worst part about this cyber-security conundrum is that the webserver stays silently installed and running even when the app is uninstalled so that it can automatically re-install it on your behalf if you ever click a Zoom meeting link again in the future. Leitschuh reported the vulnerability to Zoom in March 2019 and the firm applied a small fix in a June update, but the web-server system and the flaw remained in place until he disclosed the issue publicly this week.

    Zoom initially defended its decision to silently install web-servers on thousands of macs without their owners' knowledge, calling it "a legitimate solution to a poor user experience problem" as it saves the user a single extra click when joining meetings. Since then, it has announced that it has removed the web-server process as part of its July 9th update and has now added a full uninstall option that will get rid of both the client and the web-server. To apply this fix, you will first have to install the client again and update to the latest version.

    Source: TechCentral.ie

    About the author

    Brendan is a Sync NI writer with a special interest in the gaming sector, programming, emerging technology, and physics. To connect with Brendan, feel free to send him an email or follow him on Twitter.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

Share this story