CATEGORIES
home News

Security: Your Mac Under Zoom Attack Could Be Camera Hijacked

by Shane McGlaunTuesday, July 09, 2019, 01:41 PM EDT

A significant security issue with a popular Mac video conferencing company Zoom has surfaced. The security issue was made public by a researcher named Jonathan Leitschuh after a 90-day grace period to give Zoom time to fix the problem. The vulnerability could impact a variety of browsers running on Mac computers, including Safari, Chrome, and Firefox.

webcam security

The flaw would allow malicious websites to initiate a video call on any Mac that has (and in some cases previously had) the Zoom app installed. Depending on the version of Zoom in use, the nefarious website could trigger the video call with a simple launch action or an iframe exploit. In the proof of concept exploit, Leitschuh demonstrated that clicking a link opens the Zoom client with video-enabled unless a user explicitly turned off video streaming when joining a new meeting. Audio is disabled by default.

zoom settings

Another disturbing fact about Zoom surfaced along with the security exploit; Zoom creates and continuously runs a local web server as a background process on the host machine. Zoom implemented that strategy as a "workaround" to changes that Apple made in Safari 12. Zoom says that the local webserver was an adjustment made in efforts to maintain the app's streamlined user experience.

In every Zoom installation, the local server runs on port 19421, allowing Zoom calls to be initiated and updates delivered. Reports indicate that Zoom rarely performs an auto-update process despite the always running server and open port. Making the security issues even worse is that uninstalling the zoom app doesn't disable the server; it remains active and can reinstall the client app without user interaction. Leitschuh says that the act of visiting a webpage can trigger re-installation. Zoom has called its use of local web servers a "legitimate" solution to a "poor user experience."

So far the fix that Zoom has applied is described as barebones and includes signing HTTP GET requests. Zoom wanted an extension on the 90-day period to fix the issue, but the researcher disclosed the vulnerability saying that the core issue, the local server, remained in the patch Zoom issued. Zoom has since removed the ability for a host to join a call with video-enabled automatically. 

Tags:  security, Mac, (NASDAQ:AAPL)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment