Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated] - MacRumors
Skip to Content

Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

by

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.

isight
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Tags: Security, Zoom

Top Rated Comments

U
Unggoy Murderer
90 months ago

"legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
Score: 14 Votes (Like | Disagree)
Return Zero Avatar
Return Zero
90 months ago
When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
Score: 11 Votes (Like | Disagree)
M
MallardDuck
90 months ago
Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.
Score: 8 Votes (Like | Disagree)
W
windywalks
90 months ago
OK, so Zoom is going on my "never use again" pile.
Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
Score: 7 Votes (Like | Disagree)
R
rmt55
90 months ago
I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
Score: 3 Votes (Like | Disagree)
orbital~debris Avatar
orbital~debris
90 months ago
enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
Score: 3 Votes (Like | Disagree)
Read All Comments

Popular Stories

Apple Wallet

iOS 27 Will Add Two New Apple Wallet Features to Your iPhone

Monday June 1, 2026 12:15 pm PDT by
Apple is set to unveil iOS 27 during its WWDC 2026 keynote on Monday, June 8, and the update will reportedly include two new Apple Wallet features. First, iOS 27 will reportedly let users create their own digital passes by scanning items like movie tickets, concert passes, and gym membership cards. Many apps already offer Apple Wallet passes, but now users will be able to create a custom...
Read Full Article
Dynamic Island iPhone 18 Pro Feature

iPhone 18 Pro Battery Capacities Allegedly Leaked

Tuesday June 2, 2026 1:54 am PDT by
Battery capacities for Apple's upcoming iPhone 18 Pro have allegedly surfaced, and the numbers suggest only a modest increase over the iPhone 17 Pro. According to prolific Weibo-based leaker Digital Chat Station, Apple is testing the iPhone 18 Pro with different battery capacities for the China and U.S. versions of the device, similar to last year's iPhone 17 Pro models. The Chinese model is ...
Read Full Article39 comments
macOS 27 on MacBook Pro

Apple Says macOS 27 Won't Be Compatible With These Macs

Wednesday June 3, 2026 8:29 am PDT by
During WWDC 2025, Apple revealed that macOS 26 Tahoe would be the final major macOS version for Intel-based Macs. macOS 27 will be compatible with Apple silicon Macs only, meaning that you will need a Mac with an M-series chip or a MacBook Neo with an A18 Pro chip in order to install the software update. Apple will unveil macOS 27 during its WWDC 2026 keynote this Monday, June 8, and the...
Read Full Article88 comments