A major vulnerability has been discovered in the popular Zoom video conference calling app for the Mac. That vulnerability allows a person’s webcam to be hijacked if they simply click a link on a website or in a message.
The flaw works because Zoom installs a web server on the Mac when a person installs the desktop app. This web server is what makes Zoom so easy to use, giving the user the ability to join a video conference just by clicking a single link. That web server also allows the Zoom app to be reinstalled without requiring any user interaction.
However, as security researcher Jonathan Leitschuh discovered, this very web server leaves Zoom vulnerable to a potential breach: Any other website can simply post a link that, when a person clicks on it, will activate their webcam, allowing that site’s owners to launch a video call to view them without their permission. The unnerving thing is this flaw remains even if users have deleted the Zoom app from their Macs, as Leitschuh notes:
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
In a blog post, Zoom says that there is no indication this vulnerability was ever taken advantage of because if a person did click on a malicious link, it would be readily apparent that a video call started (and thus their webcam was hijacked) because the Zoom client user interface runs in the foreground upon launch.
However, Zoom did say it will release an app update soon, which gives users more control over their video permission settings:
In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.
Until then, you can take advantage of a few ways to protect yourself if you’ve ever had the Zoom client installed on your Mac. Be warned that on all but the first option below you’ll need to use the Terminal app on your Mac. Do not use Terminal unless you feel comfortable with it, as entering the wrong commands can damage the system files on your Mac.
- Option No. 1: In the Zoom app, go to Settings > Video then make sure the “Turn off my video when joining a meeting” box is checked.
- Option No. 2: Launch the Terminal app on your Mac, and then copy and paste the following code into it, and press the enter/return key. This will disable Zoom video for your user account: defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
- Option No. 3: To disable Zoom video access for all user accounts on the Mac, launch the Terminal app on your Mac and then copy and paste the following code into it and press the enter/return key: sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
You can also shut down Zoom’s web server on your Mac. Remember, even if you’ve uninstalled Zoom, this web server will still be running on your Mac unless you manually shut it down. Leitschuh explains:
To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files.
To prevent the web server from later being restored via Zoom app updates, enter the two Terminal commands one after the other:
- rm -rf ~/.zoomus
- touch ~/.zoomus
You can check out Leitschuh’s full instructions for mitigating Zoom’s vulnerability at the end of his post here.