Security researcher Jonathan Leitschuh has publicly divulged about a serious zero-day vulnerability that is present in the video conferencing app Zoom for Mac computers. In a post, Jonathan expressed that the susceptibility would allow any website to join a user in their video-enabled call on a Mac simply if the Zoom app is installed and activated. It’s possible partially because the Zoom app seemingly installs a web server on Mac computers and the app accepts requests which regular browsers wouldn’t. In fact, even if one uninstalls Zoom, that web server continues to exist and remains functional.
Taking help of Leitschuh’s demo, the company has confirmed that the flaw is present. In case, one clicks a link one gets during their earlier installation of the Zoom app, it would auto-join and user to a conference call with the user’s camera on. Others on Twitter are also reporting the issue.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) 9 July 2019
Leitschuh pointed that how he faithfully disclosed the frailty to Zoom back in late March, giving the company 90 days to solve the issue. According to Leitschuh’s, Zoom doesn’t seem to have done enough to solve the matter. The flaw was also divulged to both the Chromium and Mozilla teams, but since it’s not a matter with their browsers, there aren’t many things that the developers can do.
Leitschuh stated that the security glitch basically exposes hundreds of thousands of businesses who use Zoom app on a daily basis to exploitation. He also stated that turning on the camera is bad enough, but the existing of the web server on their computers might open up more notable problems for Mac users.
Users can solve the camera issue by confirming the Mac app is up to date and also by disarming the setting that allows Zoon to turn the camera on when joining a meeting. The company stated that it will change the app in one small way: from July, Zoom would save users’ and administrators’ preferences for whether video would be turned on, or not, when they first join a call. Generally, it sounds like Zoom doesn’t intend to drastically change how its app behaves on Macs to avoid getting sucked into an unwanted call, but will rather depend on users to turn their cameras off by default.