Vulnerability in Zoom video app on Mac could allow websites to access the webcam

“The vulnerability will allow third-party websites to join in on a Zoom video call without the permission of the user”

Zoom is a remote conferencing app that allows users to have video conferences, audio meetings, and chats. The app is available on the macOS App Store and uses cloud computing to provide said services. When you install Zoom on your Mac, a web server is also installed. This server is required to make video calls and for the functioning of the app. Recently, a security researcher discovered a major flow with the web server, which could lead to the hijacking of a Mac’s webcam.

Security researcher Janothan Leitschuh wrote about this flaw in a Medium post, and also provided a proof-of-concept to show that it does really allow a person to take over a video conference call on Zoom. This is a zero-day vulnerability and could be used by any website to take over a users’ Mac camera. The web server installed on the Mac can accept requests that is normally not allowed by browsers. Even after uninstalling the Zoom app, the service still remains. 

Several users tried out the demo detailed by Leitschuh in the post and they were able to join in on random video chats. He had reported the vulnerability to Zoom in March, but the company hasn’t done enough to patch it. You can manually patch the vulnerability by launching the Zoom app and checking a box that says ‘Turn off my video when joining a meeting’. However, uninstalling the app isn’t enough since it still leaves the web server behind. You can turn off the server as well, but that requires using certain commands in terminal.

Zoom camera vulnerability patch. Source - Medium
Zoom camera vulnerability patch. Source – Medium

According to Zoom, the web server was developed to make it easier for users. It states that this is a workaround for a poor UI that’s present in Apple’s Safari browser. With the web server, users can click once to join a meeting, which is their main service. In a new update, Zoom will save user preferences so that the video camera isn’t accessible. However, users will have to turn off the camera first. You can read all about it at the source.