Zoom security flaw could let strangers take over your webcam

A major security flaw has been exposed in the popular video conferencing app, Zoom. Security researcher Jonathan Leitschuh went public about the vulnerability on Monday, saying he was doing so because the company hadn't responded to him when he informed them of the issue in later March of this year. This is what Leitschuh wrote in his Medium post about the issue:

"This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day."

If you have Zoom installed on your Mac or have ever had it installed on your computer - and it's likely you do, as there are approximately 750,000 companies and millions of people who use Zoom - someone with knowledge of the vulnerability could send you a video request and force your computer to participate. They could also make it impossible for you to use your computer by sending multiple requests to invalid calls over and over, in a Denial of Service (DoS) attack. This is possible due to the fact that the Zoom file asks browsers to accept requests that a browser wouldn't normally accept via a local web server.

Leitschuh says that when he brought the issue to Zoom, they said it was actually a feature: They wanted customers to have the option to join Zoom meetings with their camera and microphone already on. They said they implemented it after Apple made a change that required Zoom users to confirm they wanted to join video calls before they launched. That move, Zoom's chief information security officer Richard Farley said, was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join-meetings, which is our key product differentiator."

In other words, this is another case of a major tech company sacrificing user safety and security for their bottom line. It may not be a coincidence that the flaw was pointed out to them in March and the company went public in April.

In response to the report, Zoom has updated their Mac app so that it no longer has a local web server and users are now able to manually uninstall Zoom. Apple also got in on the action, by issuing an update that removes the Zoom local web server from all Mac. Finally, Zoom has a release coming up this weekend that will "address video on by default."

Share this post

About Tenta

Tenta is a next generation browser designed for privacy and security. Built-in true VPN, full data encryption, video downloader, secure medai vault, HTTPS Everywhere, Tenta DNS, and more.

View all posts by Tenta >

Install Tenta Browser Free!

Start protecting your online privacy today with Tenta Browser.

Download Tenta Browser Google Play Button