Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.


The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Tags: security, Zoom


Top Rated Comments

(View all)
Avatar
1 week ago


"legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
Rating: 14 Votes
Avatar
1 week ago
When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
Rating: 11 Votes
Avatar
1 week ago
Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.
Rating: 8 Votes
Avatar
1 week ago
OK, so Zoom is going on my "never use again" pile.
Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
Rating: 7 Votes
Avatar
1 week ago
I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
Rating: 3 Votes
Avatar
1 week ago

enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."


More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
Rating: 3 Votes
Avatar
6 days ago at 12:49 pm

Can you please help. I used zoom once many months but uninstalled shortly after. I just opened terminal and ran the command lsof -i :19421 and sure enough ZoomOpene shows up. I then put kill <mypid> and it seems to be gone. But when I restarted my mac it is running again. How do I completely remove the program as I have already uninstalled it? This seems really bad since I can't even patch since I can't find Zoom anywhere on my computer anymore.


The following commands will kill and remove Zoom and its web server:
pkill ZoomOpener
rm -rf /Applications/zoom.us*
rm -rf ~/.zoomus

Given their cavalier attitude toward security, I'm blocking it at work completely. Our Macs are receiving the commands above from our MDM to ensure it's removed from all endpoints, and our web filter now blocks the Zoom website as spyware. Even with the patch, this is indicative of poor security across their entire organization IMO, and I'm not going to allow anyone to put my users in jeopardy.
Rating: 2 Votes
Avatar
1 week ago
You know, if they gave a decent reason it would at least be consoling to the user. Instead, it’s corporate babble attempting to excuse a security risk. And it also shows they don’t take security seriously.
Rating: 2 Votes
Avatar
1 week ago

I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?

[LIST=1]
* Quit Zoom if it's currently running
* Run lsof -i :19421 in Terminal. If you see output, that means the local server is running. Grab the PID
* If Step 2 returns output, run kill <PID from step 1> (exclude the angle brackets, so your final command should be something like kill 12345)
* Uninstall the Zoom app

Edit: Oops messed up the step number... and missed a colon in the lsof command :)
Rating: 2 Votes
Avatar
1 week ago
“Oops, our bad.” I guess that’s an ok response.
Rating: 2 Votes
[ Read All Comments ]