Your computer’s webcam has always been a gateway for potential security intrusion, which is why people like Mark Zuckerberg and ex-FBI head James Comey. On Monday, security researcher Jonathan Leitschuh gave Mac users another reason to fret over their webcams — there’s a security flaw in the Zoom video-conferencing app.
Zoom is most notable for its click-to-join feature, where clicking on a browser link takes you directly to a video meeting in Zoom’s app. But Leitschuh in a Medium post explained that he months ago discovered Zoom achieves this in insecure ways, allowing websites to join you to a call as well as activating your webcam without your permission.
He adds that this would allow any webpage to denial-of-service a Mac by repeatedly joining you to an invalid call. Uninstalling the Zoom app from your Mac isn’t enough to fix the problem, either. Zoom achieves its click-to-join function by installing a web server on your computer — which can reinstall Zoom without your permission.
“If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you,” Leitschuh writes, “without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”
If you have the Zoom app installed on your Mac, Leitschuh lists directions to neutralize the local server in his Medium post. You should also activate the Turn off my video setting when joining a meeting, as seen above.
The researcher says he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days. He says Zoom patched the issue, disabling the ability of a webpage to automatically turn on your webcam, but still this partial fix regressed on July 7, allowing webcams to once again be turned on without permission.
Zoom in a statement said the local web server is a workaround for Apple’s Safari 12 web browser introduced last September.
“Zoom installs a local web server on Mac devices running the Zoom client,” the statement reads. “This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
In regards to a potential denial of service attack, Zoom says it has no record of such a weakness being exploited, and says it fixed that security flaw in May.
Along with the likes of Slack, Uber and Pinterest, Zoom is one of many tech company’s to become a public company in 2019. The company raised $356 million upon its April 18 IPO, with its stocks trading as high as $66 on that day. The company’s stock has risen since, currently sitting at around $90.70.