On Tuesday, a security researcher found out a zero-day vulnerability in Mac Zoom client that affected more than four million webcams by enabling the camera without user permission. After initial denial, Zoom has patched the vulnerability and announced further updates that will be released later in July.
The vulnerability allowed any website to access a user’s video camera without their permission and forcibly join a user to a Zoom call. According to the researcher, the flaw potentially exposes 750,000 companies globally that are dependent on using Zoom for video calls.
The vulnerability can also be exploited by an attacker to send a Denial of Service for a Mac by forcibly making the user join an invalid call repeatedly.
Mitigating this security vulnerability isn’t all that simple as if the Zoom client was ever installed in a Mac, it’ll create a localhost web server on the machine, which stays even when the program is uninstalled. This localhost can re-install Zoom client without needing the user permission or the user even noticing. Visiting a webpage is all it’ll take for someone to reinstall Zoom client and exploit the vulnerability.
“This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example
https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine,” Jonathan Leitschuh, the software engineer who found this vulnerability, writes on his Medium blog.
Initially, Zoom denied that this was a cause for concern. The company said, “We did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”
How can users protect themselves?
Zoom released a patch on Tuesday that will enable users to remove the local web server entirely and also manually uninstall Zoom. Users can access this patch by downloading the latest update via their Zoom client or here.
The company will be rolling out another update on July 12, that will make the following two changes:
- If first-time users who select ‘Always turn off my video’ box will automatically have their preferences saved.
- Returning users can also update their preference through Zoom client settings and turn off the video feed of their webcam by default.
These preferences won’t be affected even when the user joins a meeting, The video preferences cannot be overridden by the host of the meeting or any other participant. If a user has turned off their video, it won’t be available to anyone. But if the user hasn’t checked the box to turn off the video, then the video feed will be automatically transmitted in a meeting where the host/creator has set the participant’s video to be switched on.