If you needed another reason to invest in a webcam cover, here it is.
Popular video conferencing app Zoom has a pretty troubling security flaw for those who use the app on Macs. According to a Medium post published on Monday, July 8, by security researcher Jonathan Leitschuh, the Mac version of the Zoom app has a vulnerability that lets websites launch video calls (and turn on your webcam) without your permission.
Zoom is well-known and used by countless companies precisely because of its ease of use. (Users can join video calls with just a shared link and a click.) But it turns out that that particular easy-to-use feature is the source of the vulnerability. According to Leitschuh’s post, the installation of the Zoom client for Mac doesn’t just come with the video calling app itself; it also comes with a local host web server that is also installed. This local server is what allows Mac users to have one-click access to a Zoom video call. But as Leitschuh notes, the local server feature “really hadn’t been implemented securely.”
In fact, the server is so vulnerable that it allows other, potentially malicious websites, access to Mac webcams to “forcibly join a user to a Zoom call” and turn on their webcams without permission. In addition, the server’s security flaw (for older versions of Zoom) also would have let websites complete a DoS (Denial of Service) attack on Macs “by repeatedly joining a user to an invalid call.” Leitschuh also noted that the DoS security flaw was patched in version 4.4.2 of the Zoom client.
But you can’t just uninstall Zoom to fix the problem either. Leitschuh’s report also mentioned that the local web server stays on your Mac even after uninstalling Zoom. Plus, that server can still reinstall Zoom without your permission. And it appears, at least according to Leitschuh’s version of events, that Zoom, while aware of the flaw, hasn’t fully fixed the security issue.
However, there are a few things Mac users can do to protect themselves. According to Leitschuh, Mac users can address the webcam issue by disabling the Zoom app setting that lets it turn on your webcam immediately after joining a call, and by making sure that the app itself is updated to the newest version. In addition, Leitschuh’s post also offers a few terminal commands you can run to shut down the web server and prevent its restoration after future updates.
Zoom did issue a statement to The Verge about the Mac webcam vulnerability. The Verge reports that the statement seemed to “defend” Zoom’s use of the local web server, saying that Zoom called the feature a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.” Furthermore, Zoom’s statement also mentioned that going forward, beginning in July, Zoom plans to save the selected preferences of users and administrators when it comes to having their webcams turned on (or off) automatically upon joining a video call.