Earlier this year, Apple faced a major security crisis when its Group FaceTime was reported to have a bug that would let people spy on iOS users by simply calling them. Now its the turn of Mac users to experience the same but, fortunately, it isn’t applicable to all Mac owners nor is it Apple’s bug to fix. Unfortunately, the Zoom video conferencing app for Macs is so popular that this serious exploit all the more dangerous.
Zoom Camera Hack Macs Download
Software developers will naturally take steps to make their products as easy to use as possible but sometimes those methods can have terrible side effects. In the case of Zoom, it installs a local webserver on the Mac to make it easy for users to join video conferences by simply clicking on a link. Unfortunately, it also leaves them vulnerable to hackers.
Click on one such “join” link could give a remote attacker access to the user’s camera with no need for the user’s content. This, according to security researcher Jonathan Leitschuh, is due to the implementation terrible security. It is also due to the fact that Zoom even needs a webserver to do its magic.
That web server is pretty much the root of all Zoom’s ills. Even uninstalling Zoom doesn’t fix it because, using that same exploit, the app could be re-installed by clicking on a link as well. All of these without any interaction from the user.
Jul 09, 2019 A vulnerability in Zoom’s video-conferencing software can allow any malicious website to enable a Mac camera without permission. Security researcher Jonathan Leitschuh revealed the vulnerability could “forcibly join a user to a Zoom call with their video camera activated” without the user’s permission. Leitschuh added that the vulnerability would have allowed any webpage to conduct. Jul 09, 2019 Security Vulnerability in Video Conferencing App Zoom Allows Websites to Hack Into your Mac’s Camera Posted by Rajesh Pandey on Jul 09, 2019 in macOS, News A major zero-day vulnerability has been discovered in Zoom, a video conferencing app that is primarily used by businesses.
Zoom’s response, however, isn’t encouraging either. While it acknowledged existence of the bug, Leitschuh says that the “quick fix” the company implemented doesn’t sufficiently address the problem. Worse, it seems that Zoom is unwilling to move away from its webserver-based magic to something more secure, all for the stated purpose of making lives easier, but also less secure, for its users.
A vulnerability in Zoom’s video-conferencing software can allow any malicious website to enable a Mac camera without permission.
Security researcher Jonathan Leitschuh revealed the vulnerability could “forcibly join a user to a Zoom call with their video camera activated” without the user’s permission.
Leitschuh added that the vulnerability would have allowed any webpage to conduct a DOS on a mac by joining a user to an invalid call repeatedly. Additionally if a user had installed and then uninstalled a Zoom client, a local host web server on the machine could easily re-install the Zoom client without any user interaction.
The vulnerability arose due to the simple Zoom feature allowing the set up of meetings and video conferences. A user can send anyone a meeting link and once opened in their browser their Zoom client is opened on their device. Leitschuh uncovered that this functionality had not been implemented securely.
Leitschuh pointed out that not all macs were vulnerable but rather those who did not change a setting that turned off video when joining a meeting.
Leitschuh commented:
“First off, let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me. Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher.”
Leitschuh disclosed the vulnerability to Zoom in late march warning he would go public after the 90-day public disclosure deadline. Following a series of discussions the company proposed a quick fix solution to which Leitschuh disputed.
“On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the ‘quick fix’ solution originally suggested.
Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.”
“This week, a researcher published an article raising concerns about our video experience,” Zoom responded.
“In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”
Zoom App Hack
In regards to the DOS vulnerability for Mac devices, Zoom argued that a fix had been released in May 2019 concerning the vulnerability, but did not force users to update as it was “empirically a low-risk vulnerability”.
Zoom has recommended that all security concerns should be sent to their 24/7 support team. Additionally Zoom is initiating a private bug bounty program, which will pay researchers to find flaws.
Zoom Software Hack
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
Zoom Camera Hack
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.