Shutterstock
- A researcher found a vulnerability in Zoom's Apple Mac app, which means users can have their cameras remotely activated by clicking a link.
- Even if a user uninstalled the app on their Mac, it could be remotely re-installed, the researcher found. Zoom has since patched this vulnerability.
- Zoom said the camera vulnerability was the result of a "legitimate solution to a poor user experience."
- Visit Business Insider's homepage for more stories.
Zoom users on Apple Mac are being left vulnerable to having their camera hijacked, researcher Jonathan Leitschuh revealed in a Medium post on Monday.
Leitschuh discovered the flaw in March which would allow malicious actors to remotely force users into joining Zoom calls, automatically turning their camera on.
"This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link... and when they open that link in their browser their Zoom client is magically opened on their local machine," he wrote in his blog.
Jonathan Leitschuh
Others on Twitter tried the vulnerability out for themselves with success.
Leitschuh also found that even if a user uninstalled Zoom on their Mac, a malicious actor could remotely re-install it. He also found attackers could launch denial of service (DOS) attacks, although this was patched by Zoom in May, according to a blog post released by the company.
Leitschuh recommends users can patch the vulnerability themselves by going into their settings and ticking "turn off my video when joining a meeting."
Jonathan Leitschuh
According to Zoom, this flaw stems from the fact it lets users click straight into Zoom meetings, a workaround it implemented after Apple rolled out an update which required users to confirm with a click if they want to launch Zoom every time they use it.
Zoom said the workaround was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
Read more: This is how attackers were able to spread spyware through WhatsApp with just a phone call
Although Zoom implemented a "quick fix," which Leitschuh recommended when he got in touch with the company in March, the researcher was not impressed with the company's response.
"Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard. As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service."
In a statement to Forbes, Zoom admitted the vulnerability was still live: "If an attacker is able to trick a target user into clicking a web link to the attacker's Zoom meeting ID URL, either in an email message or on an internet web server, the target user could unknowingly join the attacker's Zoom meeting."
Zoom went public in April after being founded in 2011. Its share price is down nearly 2% to $89.10 in pre-market trading on Tuesday, though it remains significantly above the $36 price it listed at. The company says its customers spend more than 5 billion minutes using the service for meetings every month.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
- Matt Haughey (@mathowie) July 9, 2019