Zoom for Mac has a security hole that means your webcam could be turned on without permission
Time to dig out the tape and cover up your webcam. The Mac version of the video conferencing tool Zoom has been found to have a flaw that enables a website to switch on your webcam without permission, and without notification.
Despite having been discovered and reported to Zoom by a security researcher three months ago, the vulnerability is yet to be patched. In fact, Zoom disagrees that there is a security issue, although it does say that users will be granted greater control over videos in an update due for release later this month.
The discovery was made by security researcher Jonathan Leitschuh who published details of his findings in a lengthy blog post. He warns that the flaw could be used by a malicious website to enable users' webcams, potentially placing hundreds of thousands of users at risk of privacy invasion -- even if they no longer have the Zoom client installed.
The security issue has been assigned CVE-2019-13450 as is described thus:
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
Zoom has responded to Leitschuh's findings, essentially dismissing his report:
All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF. For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.
To be clear, the host or any other participant cannot override a user's video and audio settings to, for example, turn their camera on. [Zoom's emphasis]
This week, a researcher published an article raising concerns about our video experience. His concern is that if an attacker is able to trick a target Zoom user into clicking a web link to the attacker's Zoom meeting ID URL, the target user could unknowingly join the attacker's Zoom meeting. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user's video feed.
The company goes on to say:
Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened.
Although Zoom apparently does not think Leitschuh's findings constitute a security issue, the company says it is updating video settings in its next release:
In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.
If you are concerned about the matter, Leitschuh's blog post has details of how to secure yourself until the update is released -- you can choose between disabling your camera when joining a meeting, or use a terminal command to kill the arguably problematic server.