Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

Tuesday July 9, 2019 3:58 AM PDT by Tim Hardwick

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.


The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Tags: security, Zoom

Top Rated Comments

(View all)
Avatar
10 months ago


"legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
Score: 14 Votes (Like | Disagree)
Avatar
10 months ago
When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
Score: 11 Votes (Like | Disagree)
Avatar
10 months ago
Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.
Score: 8 Votes (Like | Disagree)
Avatar
10 months ago
OK, so Zoom is going on my "never use again" pile.
Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
Score: 7 Votes (Like | Disagree)
Avatar
10 months ago

enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
Score: 3 Votes (Like | Disagree)
Avatar
10 months ago
I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
Score: 3 Votes (Like | Disagree)

Top Stories

Leaker Claims New 13-inch MacBook Pro Coming as Soon as Next Month

Monday April 6, 2020 2:56 am PDT by Tim Hardwick
Apple will announce a new 13-inch MacBook Pro in May with the codename J223, according to a rumor shared by YouTuber and leaker Jon Prosser. Note: it’s a refresh to the current 13” So the bigger 14” display upgrade is a big possibility— Jon Prosser (@jon_prosser) April 4, 2020 Analyst Ming-Chi Kuo has said Apple plans to release new MacBook Pro and MacBook Air models with scissor keyboards ...

'Leaked' Images Allegedly Show iPhone 12 With Smaller Notch, Rear Camera Redesign, and Home Screen Widgets

Tuesday April 7, 2020 4:28 am PDT by Tim Hardwick
Two images shared on social media this morning are currently stoking speculation about possible hardware redesigns coming to the iPhone 12 and the potential introduction of Home screen widgets in iOS 14. Shared by Twitter user Fudge (choco_bit), the images depict a front and rear graphical representation of a smartphone with interface elements on the screen, suggesting it came out of a...

Apple Releases iOS and iPadOS 13.4.1 With Fix for FaceTime Bug

Tuesday April 7, 2020 10:06 am PDT by Juli Clover
Apple today released iOS and iPadOS 13.4.1, minor updates that come two weeks after the release of iOS and iPadOS 13.4, major updates that introduced iCloud Folder Sharing, a new Mail toolbar, trackpad support for the iPad, and more. The iOS and ‌iPadOS‌ 13.4.1 updates are available on all eligible devices over-the-air in the Settings app. To access the updates, go to Settings > General...

More References to Apple's Upcoming Low-Cost iPhone Appear Online

Monday April 6, 2020 4:38 am PDT by Tim Hardwick
Further references to Apple's upcoming low-cost iPhone have appeared online, one on a Chinese e-commerce website and another on Verizon's smartphone trade-in page. Spotted by tech blog MySmartPrice, Chinese retailer JD.com has published a placeholder for Apple's so-called "iPhone 9" that includes a teaser image of a veiled smartphone, but other than that it lacks any particularly revealing...

Apple Reportedly Targeting WWDC for Over-Ear Headphones Launch, New 'AirPods X' Later in the Year

Tuesday April 7, 2020 7:00 am PDT by Eric Slivka
Rumors of Apple-branded over-ear headphones have been circulating for quite some time, while more recent rumors have mentioned an "AirPods Pro Lite" that could also be in the works, and Twitter leaker Jon Prosser's recent foray into Apple rumors provides a bit more detail on what we might able to expect for these products. Current Beats Studio3 Wireless and BeatsX On the over-ear side,...

Facebook Launches 'Tuned' Messaging App for Couples

Wednesday April 8, 2020 4:50 am PDT by Tim Hardwick
Facebook has quietly released Tuned, a new messaging app designed to provide a "private space" for couples to connect, reports The Information. Designed by NPE, an experimental group within the company that was established last year, the app encourages couples to share messages, notes, cards, voice memos, photos and Spotify songs with each other, thereby creating a "digital scrapbook" of...

Apple Shares Assembly and Use Instructions for New Face Shields, Shipping 1 Million Per Week to Medical Workers

Tuesday April 7, 2020 8:54 am PDT by Eric Slivka
Following this weekend's news from Tim Cook that Apple is working with its supply chain to produce a million face shields per week for medical workers, the company has shared a support document outlining how to assemble and adjust the shields. The document includes a series of images and animations showing how the simple three-piece product can be assembled for either a regular fit or with...

Some Users Experiencing System Crashes on macOS 10.15.4, Especially During Large File Transfers

Monday April 6, 2020 8:17 am PDT by Joe Rossignol
A sizeable number of Mac users are experiencing occasional system crashes after updating to macOS Catalina version 10.15.4, released a few weeks ago. The crashing issue appears to be most prominent when users attempt to make large file transfers. In a forum post, SoftRAID described the issue as a bug and said that it is working with Apple engineers on a fix for macOS 10.15.5, or a...

2020 iPad Pro Confirmed to Lack a U1 Ultra Wideband Chip

Tuesday April 7, 2020 7:52 am PDT by Eric Slivka
Last week, we laid out evidence suggesting that the just-released iPad Pro models do not contain a U1 Ultra Wideband chip, including the lack of any mention of the chip in tech specs or Apple's press materials, the absence of software support for U1 features, and more. Most tellingly, iFixit was unable to find the chip or related antennas in the device. Daring Fireball's John Gruber has follo...

The New York Times, IFTTT, Medium, and Other Apps Adopt Sign in With Apple Ahead of June 30 Deadline

Sunday April 5, 2020 7:08 pm PDT by Frank McShan
Apps with sign-in functionality, including The New York Times, IFTTT, Medium, and more, have continued to adopt Apple's secure Sign in with Apple feature ahead of a deadline of June 30. The deadline for these apps to support the feature was recently extended from April 30. Sign in with Apple, first introduced in iOS 13, allows users to create accounts for apps and websites using an Apple ID. ...