A flaw in video conferencing tool Zoom is leaving Apple Mac users' webcams vulnerable to being hijacked
- A researcher found a vulnerability in Zoom's Apple Mac app, which means users can have their cameras remotely activated by clicking a link.
- Even if a user uninstalled the app on their Mac, it could be remotely re-installed, the researcher found. Zoom has since patched this vulnerability.
- Zoom said the camera vulnerability was the result of a "legitimate solution to a poor user experience."
- Visit Business Insider's homepage for more stories.
Zoom users on Apple Mac are being left vulnerable to having their camera hijacked, researcher Jonathan Leitschuh revealed in a Medium post on Monday.Leitschuh discovered the flaw in March which would allow malicious actors to remotely force users into joining Zoom calls, automatically turning their camera on.
Leitschuh also found that even if a user uninstalled Zoom on their Mac, a malicious actor could remotely re-install it. He also found attackers could launch denial of service (DOS) attacks, although this was patched by Zoom in May, according to a blog post released by the company.Leitschuh recommends users can patch the vulnerability themselves by going into their settings and ticking "turn off my video when joining a meeting."
According to Zoom, this flaw stems from the fact it lets users click straight into Zoom meetings, a workaround it implemented after Apple rolled out an update which required users to confirm with a click if they want to launch Zoom every time they use it.
Zoom said the workaround was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."Read more: This is how attackers were able to spread spyware through WhatsApp with just a phone call
Although Zoom implemented a "quick fix," which Leitschuh recommended when he got in touch with the company in March, the researcher was not impressed with the company's response.
"Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard. As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service."In a statement to Forbes, Zoom admitted the vulnerability was still live: "If an attacker is able to trick a target user into clicking a web link to the attacker's Zoom meeting ID URL, either in an email message or on an internet web server, the target user could unknowingly join the attacker's Zoom meeting."
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf- Matt Haughey (@mathowie) July 9, 2019
- Initial assessment of adverse events didn't necessitate stoppage of vaccine trials: ICMR
- Phase 2 and 3 clinical trials for Sputnik vaccine commence
- 'Delhi chalo': After Singhu and Tikri, Delhi Police closes Chilla border due to farmers' protest
- Manforce Condoms promotes its competitors in its latest ad for World AIDS Day
- Sensex, Nifty close at record high on recovery hopes, vaccine boost