Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

A flaw in video conferencing tool Zoom is leaving Apple Mac users' webcams vulnerable to being hijacked

macbook on tv
Mac users of Zoom were vulnerable to having their webcams hacked. Shutterstock

  • A researcher found a vulnerability in Zoom's Apple Mac app, which means users can have their cameras remotely activated by clicking a link.
  • Even if a user uninstalled the app on their Mac, it could be remotely re-installed, the researcher found. Zoom has since patched this vulnerability.
  • Zoom said the camera vulnerability was the result of a "legitimate solution to a poor user experience."
  • Later on Tuesday, Zoom announced that it had begun releasing a fix for the issue. 
  • Visit Business Insider's homepage for more stories.
Advertisement

Zoom users on Apple Mac are being left vulnerable to having their camera hijacked, researcher Jonathan Leitschuh revealed in a Medium post on Monday.

Leitschuh discovered the flaw in March which would allow malicious actors to remotely force users into joining Zoom calls, automatically turning their camera on.

"This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link... and when they open that link in their browser their Zoom client is magically opened on their local machine," he wrote in his blog.

Jonathan Leitschuh
By putting "participants" on Leitschuh was able to exploit the flaw. Jonathan Leitschuh

Others on Twitter tried the vulnerability out for themselves with success.

Advertisement

Leitschuh also found that even if a user uninstalled Zoom on their Mac, a malicious actor could remotely re-install it. He also found attackers could launch denial of service (DOS) attacks, although this was patched by Zoom in May, according to a blog post released by the company.

Leitschuh recommends users can patch the vulnerability themselves by going into their settings and ticking "turn off my video when joining a meeting."

Jonathan Leitschuh fix
Jonathan Leitschuh

According to Zoom, this flaw stems from the fact it lets users click straight into Zoom meetings, a workaround it implemented after Apple rolled out an update which required users to confirm with a click if they want to launch Zoom every time they use it.

Zoom said the workaround was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Advertisement

Read more: This is how attackers were able to spread spyware through WhatsApp with just a phone call

Although Zoom implemented a "quick fix," which Leitschuh recommended when he got in touch with the company in March, the researcher was not impressed with the company's response.

"Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard. As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service."

In a statement to Forbes, Zoom admitted the vulnerability was still live: "If an attacker is able to trick a target user into clicking a web link to the attacker's Zoom meeting ID URL, either in an email message or on an internet web server, the target user could unknowingly join the attacker's Zoom meeting." 

Advertisement

Later on Tuesday, following a hubbub in the cybersecurtity community around its response, Zoom announced that it had begun the process of sending out a fix to users.  

 

Zoom went public in April after being founded in 2011. Its share price is down nearly 2% to $89.10 in pre-market trading on Tuesday, though it remains significantly above the $36 price it listed at. The company says its customers spend more than 5 billion minutes using the service for meetings every month.

Zoom
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account