Hackers can hijack your Mac webcam with Zoom. Here’s how to prevent it.

Less than three months after its IPO, Zoom is facing questions about a major security vulnerability.

Less than three months after its IPO, Zoom is facing questions about a major security vulnerability.

by Emily Stewart on Vox — If you have a Mac and you have ever used Zoom video conferencing, you might have a problem.

On Monday, security researcher Jonathan Leitschuh publicly disclosed a vulnerability in video-conferencing company Zoom that apparently would allow someone to turn on your Mac’s webcam and force you to join a Zoom call without your permission. In a Medium post, Leitschuh said he initially disclosed the vulnerability to Zoom on March 26, 2019, but the company has still failed to resolve it beyond an initial, impartial fix he’d first suggested.

Here is, basically, what Leitschuh uncovered:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

In other words, if you have Zoom installed on your Mac — or if you ever had it — a website could spy on you or undertake a denial of service (DoS) attack, where a bad actor could basically hit a user with a barrage of meeting requests and lock up his or her computer. As The Verge explains it, the Zoom app “installs a web server on Macs that accepts requests regular browsers wouldn’t.”

On Monday, people started to try the vulnerability out … and it worked.

This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf

— Matt Haughey (@mathowie) July 9, 2019

Leitschuh said that when he initially flagged the vulnerability, Zoom defended itself by implying it wanted customers to be able to choose to join a meeting with their microphone and video automatically enabled. But if someone doesn’t get the option to join the meeting in the first place, that’s not much of a choice. According to Leitschuh, Zoom made attempts to patch the vulnerability by preventing an attacker from turning on a video camera, but he was able to discover workarounds that would permit an attacker to force a target to join a call and activate their webcam.

This is a big deal: the flaw could expose up to 750,000 companies and the millions of people who use Zoom.

In response to a request for comment, Zoom pointed Recode to a blog post from the company’s chief information security officer Richard Farley, in which he disputes some of Leitschuh’s claims and downplays the severity of the vulnerability. He said that it would be “readily apparent” to a user if they unintentionally joined a Zoom meeting, because it would appear on their screen, and that there is “no indication” that the attacks the Medium post describes have ever happened. He said that Zoom’s security team responded to the initial flag within 10 minutes and determined that the issues were “low risk.”

Farley also explained how this happened in the first place: Zoom said it developed a local web server as a “workaround” after Apple changed its Safari web browser to require users to confirm they wanted to join video calls before launching them. He defended the decision as a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join-meetings, which our key product differentiator.”

Zoom said that in May it released a fix for the DoS attacks, but because Zoom doesn’t think it’s a real risk to users, the update is opt-in. Later in July, Zoom will release a version of the app that will save a user’s video preference from their first meeting for all future meetings, meaning they can turn their video settings off and keep them that way.

Still, users were troubled by news of this security flaw.

Part of Zoom's response below. Basically: an update to Safari (probably for security?) added an extra click to joining a meeting. So Zoom added a whole damn, undisclosed, running webserver to your computer to Save You A Click. And it isn't sorry.

Really. pic.twitter.com/GoSHzAci3Y

— Dieter Bohn (@backlon) July 9, 2019

Let’s not overlook the root of the problem here: Zoom designed their application so the person controlling the meeting decided if your video camera is on, NOT YOU.
This was done on purpose by their product designers.

— SwiftOnSecurity (@SwiftOnSecurity) July 9, 2019

What to do about Zoom

Since Zoom hasn’t fully addressed the vulnerability in its software, Leitschuh outlined how to patch it yourself. Basically, you can disable by default Zoom’s ability to turn on your webcam when you join a meeting. He also laid out some terminal commands at the bottom of the post and explained how to test whether or not your fix is working.

Zoom, which was founded in 2011, went public in April — after Leitschuh first flagged this flaw. The company beat estimates during its first quarterly earnings report as a public company in June and has been among the best-performing tech IPOs of the year. It’s not yet clear how this vulnerability will affect its business overall, though the company’s stock price fell by about 1 percent on Tuesday.