Hackers could access cameras on millions of Apple Macs thanks to a vulnerability in Zoom’s video-conferencing software, a security researcher has found. Jonathan Leitschuh uncovered a way to force almost any Mac that has Zoom’s app installed to join a video call. One tech veteran who found he was at risk called the flaw “bananas”. Zoom disagreed about the severity of the issue but has updated its software so it is harder to abuse.
Mr Leitschuh said the problem arose because of the way Zoom sets up meetings and video-conferences. Generally, he said, this involves an organizer sending a web link to other people that they simply click on to join the meeting.
To make joining meetings easier, the Zoom Mac software puts a web server on every machine it is installed on. This handles the tricky job of interpreting the clicked link and connecting all the different machines together. Not all Macs were vulnerable, said the researcher. Only those users who did not change a setting that turned off video when they joined a meeting were at risk, he said. Hackers could exploit the flaw by putting booby-trapped code on websites that connected to the hidden web server when victims click on them.
“This Zoom vulnerability is bananas,” wrote blogging pioneer Matt Haughey on Twitter. He said he clicked one of the proof-of-concept links Mr Leitschuh supplied and connected to three other people “freaking out about it in real time”. Mr Leitschuh discovered that the web server is standalone software that persists on Macs even if the main Zoom software is removed. In his blog, he provided instructions on how to manually uninstall the server.
The problem does not occur on Windows machines because they handle Zoom meeting links in a different way. In his blog, the security researcher said he first contacted Zoom about the problem in late March warning it that he planned to go public with the information in 90 days. A series of discussions with Zoom’s security team followed, he added, which led the company to propose what Mr Leitschuh described as a “quick fix”.
Zoom disputed this version of events and said it had engaged with Mr Leitschuh within “minutes” of being told about the flaw. It said it would be “readily apparent” that anyone had fallen victim because the Zoom video application is programmed to be the foremost window on a user’s screen. It added that it had “no indication” that any of its millions of users had fallen victim in this way and said it disagreed with Mr Leitschuh about the “severity” of the issue. An update to Zoom has been rolled out that changes the way links for meetings are set up and that ensures video is turned off as a default, it said. Zoom also planned to set up a public bug bounty programmer that will pay researchers for finding flaws. Currently, Zoom runs an invitation-only bug hunting scheme.