Zoom fixes webcam flaw for Macs, but security concerns linger

Zoom fixes webcam flaw for Macs, but security concerns linger

Zoom released a patch this week to fix a security flaw in the Mac version of its desktop video chat app that could allow hackers to take control of a user’s webcam. 

The vulnerability was discovered by security researcher Jonathan Leitschuh, who published information about it in a blog post Monday. The flaw potentially affected 750,000 companies and approximately 4 million individuals using Zoom, Leitschuh said.

Zoom said it’s seen “no indication” any users were affected. But concerns about the flaw and how it works raised questions about whether other similar apps could be equally vulnerable.

The flaw involves a feature in the Zoom app that lets users quickly join a video call with one click, thanks to a unique URL link that immediately launches the user into a video meeting. (The feature is designed to launch the app quickly and seamlessly for a better user experience.) Although Zoom gives users the option to keep their camera off before joining a call – and users can later turn the camera off in the app’s settings – the default is to have the camera on.

zoom flaw

Users need to check this box in the Zoom app to shut down access to the camera.

Leitschuh argued that the feature could be used for nefarious purposes. By directing a user to a site containing a quick-join link embedded and hidden in the site’s code, the Zoom app could be launched by an attacker, in the process switching the camera and/or microphone on without a user’s permission. That’s possible because Zoom also installs a web server when the desktop app is downloaded.

Once installed, the web server remains on the device – even after the Zoom app has been deleted.

Copyright © 2019 IDG Communications, Inc.


Leave a Reply

Your email address will not be published.