Serious Zoom Security Flaw Could Let Websites Hijack Mac Cameras

Security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conference app on Macs that could allow websites to turn on user cameras without permission. The Verge reports: He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention. Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh’s account, Zoom doesn’t appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it’s not an issue with their browsers, there’s not much those developers can do. The report notes that you can “patch” the vulnerability by making sure the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting. “Again, simply uninstalling Zoom won’t fix this problem, as that web server persists on your Mac,” reports The Verge. “Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post.”

Share on Google+

View source

Codice amico Very Mobile Diagonal Media Digital Marketing