Did you know that your Macintosh webcam could have been hijacked? A serious security flaw in the Zoom video conferencing application joined Mac users to video calls without their permission.
Zoom has now released a fix – click here.
A vulnerability in the MacZoom client allowed malicious websites to enable Mac cameras without users’ permissions. This is a serious flaw that was thankfully discovered by Jonathan Leitschuh.
Jonathan Leitschuh, a US-based security researcher, reported this serious zero-day vulnerability. It allowed any website to forcibly join someone to a Zoom call, and activate their video camera.
Plus, he said that the vulnerability let any webpage cause a Denial of Service (DOS) by repeatedly joining the Mac user to an invalid call.
Even if the user uninstalled the Zoom application from their Mac, it could be re-installed remotely.
What Should Mac Users Do?
To fix this particular issue, Leitschuh advised that Mac users with the Zoom application installed, update it to the latest version of Zoom and then check the box in settings to “Turn off my video when joining a meeting.”
A computer webcam is always a potential gateway for security intrusion. This is why some users put a piece of tape over their webcam just in case.
Zoom Has Since Patched The Vulnerability
The vulnerability has been patched; however, the flaw could have exposed up to 750,000 organizations around the world that use Zoom.
Leitschuh said that the Zoom vulnerability was originally disclosed on March 26, 2019, and that a “quick fix” from Zoom could have been implemented to change their server logic. However, it took them 10 days to confirm the vulnerability. And, it wasn’t until June 11, 2019, that Zoom held their first meeting about how to patch the vulnerability. This was only 18 days before the required 90-day public disclosure deadline.
He said that he contacted Zoom on March 26, giving them the public disclosure deadline of 90 days. Zoom patched the issue, so a webpage couldn’t automatically turn on a webcam, but that this partial fix regressed on July 7th, allowing webcams to once again be turned on without permission.
What Was Zoom’s Response?
“Zoom installs a local web server on Mac devices running the Zoom client…This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless one-click-to-join meetings, which is our key product differentiator.”
Zoom also reported that they had no record of a Denials of Service or this type of weakness being exploited. They said that they fixed the security flaw back in May.
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.