The vulnerability in the Zoom video conference app lets attackers hijack Mac’s camera by merely using malicious websites.
The Zoom video conference app is currently being used by millions of users around the world and that makes it a lucrative target for cybercriminals.
Jonathan Leitschuh, an IT security researcher has discovered a critical zero-day vulnerability in the Zoom video conference app for Mac devices which if exploited can allow malicious websites to compromise Mac’s camera putting the privacy of millions of users at risk.
According to Leitschuh’s blog post, the vulnerability works in such a way that it “allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”
Furthermore, the same vulnerability can be exploited to conducted DOS (Denial of Service attack) on by Mac by repeatedly joining a user to an invalid call.
It is worth mentioning that DoS attack, the attacker seeks to make a computer or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
What’s worse is that the zero-day also attacks those devices who previously had Zoom installed on their Mac devices and had it deleted later on. That’s because of the app leaves a
localhost on the device which re-installs Zoom client on the system.
“Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a
localhostweb server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”
Leitschuh’s blog post was published on July 8, 2019, however, the timeline of the vulnerability goes all the way back to March 2019. Apparently, Zoom was informed about the issue on March 8th, 2019 while the vulnerability was only fixed on July 7th, 2019 with a “quick fix” solution which is no bueno.
“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack,” Leitschuh said.
Leitschuh advice that to secure yourself from this vulnerability, Zoom users on Mac should disable the ability for the app to turn on your webcam when joining a meeting. Additionally, update Zoom to the latest version asap.
Remember, if you are on the Internet you are vulnerable to all sorts of cyberattacks and there’s not much that can be done if flaws are in a trustworthy app like Zoom. However, you can still use anti-virus software, scan your device regularly, keep your system updated and visit Hackread on daily basis for more cybersecurity-related news.
Did you enjoy reading this article? Kindly do like our page on Facebook and follow us on Twitter.