A zero-day vulnerability in the popular video-conferencing app, Zoom, can forcibly join you to a video call without your consent on your Mac.
Jonathan Leitschuh, a cybersecurity researcher, publicly disclosed the vulnerability on July 8, leading to Zoom releasing an emergency patch the next day.
Nonetheless, it is important to understand just how easily an insecure app can leave your Mac exposed to serious breaches of your privacy, and how even reputable companies can fail to deliver easy fixes in a timely manner.
Let’s see what was really going in the background turning your Mac’s webcam into a possible surveillance device, and the instant fixes you can apply.
Invading user privacy with Zoom
The source of this vulnerability as disclosed by Leitschuh in a Medium blog post is that the Zoom app installs a local web server on Mac computers. What’s more, Zoom communicates with the web server outside of the macOS sandbox, which is a discouraged practice and opens up the app for security exploitations from malicious users.
The local client web server of Zoom runs as a background process so you don’t have even have to be currently running the app in order to have your Mac camera turned on without consent.
A website can simply embed a two-line code and your Zoom will immediately turn on with the camera enabled and the website connected now to your camera.
And that’s only the start of it. Websites could very easily perform a DoS attack on your Mac using the same vulnerability. All it would take is to simply force Zoom to keep sending “focus” commands to the operating system and thus overwhelming the affected Mac in the process.
With these vulnerabilities, you could almost mistake Zoom as the dream app for any aspiring hacker!
Any agency with malicious intent could embed these few lines of code and run rigged ads or a phishing campaign. The possibilities for a privacy breach on Mac would be endless!
The most worrying aspect of this security hole is that the local host server still continues to work in the background even if you uninstall Zoom, which then reinstalls the app on Mac without your permission.
As Proof of Concept, Leitschuh created this link which will immediately activate your camera and start a Zoom call with no further intervention from you (Warning: Don’t click the link if you don’t want your Mac getting connected to a random video call)
https://jlleitschuh.org/zoom_vulnerability_poc/zoompwn_iframe.html
The built-in security mechanisms in Mac’s Safari 12 are instantly bypassed with a link created this way, giving anyone the access to activate your video and/or audio without your consent.
Fixing the vulnerability
By default, Zoom is configured to turn on your Mac’s webcam as soon as you agree to join a meeting. You can disable this default functionality in the settings to deny anyone hosting the meeting to the ability to activate your camera upon connecting to a meeting:
Image Credits: Jonathan Leitschuh
This will fix the problem of a website turning on your camera forcibly, so you can at least keep your visual privacy intact.
It is important to remember that this isn’t the first time that privacy of Mac users has been compromised. The iCloud breach that leaked private photos of celebrities is still fresh in memory.
It is therefore essential that you take some definite steps to keep your privacy and security safe on the Mac.
Other than that, the overall state of your privacy on a Mac can be further enhanced with a tool like VPN. Certain VPN services such as the ones mentioned here can consolidate your online security and privacy, adding an extra layer of protection that has become so essential for the precarious nature of the web today.
Therefore, for bolstering the overall security of your Mac, it is recommended to take multiple measures that cover all possible vulnerable areas that could be damaging to you if exploited by a malicious third-party.
Quite often, you’ll find it only takes using updated anti-malware + VPN tools, in addition to checking that the privacy/permission settings in your macOS aren’t unnecessarily leaving you exposed on the web.
It is, after all, a simple change in settings that serves as a temporary fix to the peculiar problem facing Zoom users on Mac.
Zoom’s Lethargic Response to the Issue
Jonathan Leitschuh, the cybersecurity researcher that discovered these vulnerabilities contacted Zoom in March this year to inform them about these security problems. However, Leitschuh blames Zoom for being surprisingly indifferent about the issue.
Zoom repeatedly made light of these problems by pointing out the discovered vulnerabilities could only be exploited after a user interaction takes place. But ironically, the only user interaction needed to get your Mac’s microphone and camera activated by force is to click a Zoom link. That alone bypasses the need for your permission, allowing the creator of the link to hijack your webcam.
Nonetheless, Leitschuh gave a 90-day time period to Zoom to fix discovered issues before going public with his findings.
18 days before public disclosure, Zoom proposed two solutions, both of which were inadequate and brought the problem back to square one: easy vulnerabilities open for a sufficiently motivated hacker to exploit.
One would expect an organization of Zoom’s stature and reputation to be more serious about security flaws that threaten the privacy of a significant fraction of their customer base (estimated to be 4+ million of Mac users having the Zoom app).
As it happened, however, the company failed to resolve the issues pointed at by Mr. Letischuh, leading to the full disclosure on July 8, when he published his findings on a Medium blog post.
Zoom released an update on July 9 and then again on July 14 which finally gave users the power to manually uninstall the Zoom app, remove the local web server, and the option to opt to join a meeting request with or without video enabled.
Since these vulnerabilities only affect macOS, I strongly urge Mac users to update their Zoom apps if you haven’t yet.
Final Thoughts
Online privacy is a waning crescent that shrinks ever so steadily with every passing day. But the world owes much to independent cybersecurity researchers for bringing glaring holes in existing software apps to light.
The 4+ million of Zoom’s Mac-using customer base is certainly the better off now with the problem finally being officially acknowledged and adequately resolved.
Author Bio:
Osama Tahir is a regular contributor at www.vpnranks.com. He is a staunch proponent of the scientific method who dabbles in blogging about science, technology, & online privacy.