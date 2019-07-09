A major vulnerability has been discovered in the popular Zoom video conference calling app for the Mac. That vulnerability allows a person’s webcam to be hijacked if they simply click a link on a website or in a message.

The flaw works because Zoom installs a web server on the Mac when a person installs the desktop app. This web server is what makes Zoom so easy to use, giving the user the ability to join a video conference just by clicking a single link. That web server also allows the Zoom app to be reinstalled without requiring any user interaction.

However, as security researcher Jonathan Leitschuh discovered, this very web server leaves Zoom vulnerable to a potential breach: Any other website can simply post a link that, when a person clicks on it, will activate their webcam, allowing that site’s owners to launch a video call to view them without their permission. The unnerving thing is this flaw remains even if users have deleted the Zoom app from their Macs, as Leitschuh notes:

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf — Matt Haughey (@mathowie) July 9, 2019

In a blog post, Zoom says that there is no indication this vulnerability was ever taken advantage of because if a person did click on a malicious link, it would be readily apparent that a video call started (and thus their webcam was hijacked) because the Zoom client user interface runs in the foreground upon launch.

However, Zoom did say it will release an app update soon, which gives users more control over their video permission settings:

In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.

Until then, you can take advantage of a few ways to protect yourself if you’ve ever had the Zoom client installed on your Mac. Be warned that on all but the first option below you’ll need to use the Terminal app on your Mac. Do not use Terminal unless you feel comfortable with it, as entering the wrong commands can damage the system files on your Mac.