'Zoom' App Security Flaw Allows Hackers To Hack Into Mac's Webcam

Windows' apps are probably the most exploited. But that doesn't mean hackers won't exploit apps on other platforms when they see one.

Researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability on the Zoom video conferencing app on Macs.

He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed.

This is possible because Zoom app apparently installs a web server on Mac computers that accepts requests that third-party web browsers wouldn't.

While Zoom in turning on Mac users' camera is already a problem, the issue can be made worse because the existence of a web server on a computer could open up an array of more problems. From denial-of-service attacks to other Mac users by repeatedly joining them to an invalid call, to attackers in embedding in malicious ads, or creating phishing campaigns.

Furthermore, when the web server is present, users cannot simply uninstall Zoom, because it persists and reinstall Zoom without user intervention.

Only one line of code is needed for malicious actors to launch an attack
Embedding this code with an iframe, attacker can automatically activate the target's video camera

How this flaw works, is by leveraging Zoom's simple inviting feature.

Zoom allows users to just send anyone a meeting link (for example https://zoom.us/j/492468757). And when Mac users open that link, their Zoom client will magically open on their local machines.

As of 2015, Zoom had over 40 million users. Given that Macs are 10% of the PC market and Zoom has had significant growth since 2015, according to Leitschuh, there is at least 4 million of Zoom’s users are on Mac including 750,000 companies around the world that use the app to conduct their day-to-day business.

Leitschuh detailed how he disclosed the vulnerability personally to Zoom back in March 26, 2019, giving the company 90 days to solve the problem.

At first, Zoom didn't do much to resolve the issue. What the company did, was only creating a "quick fix" which prevented attackers from turning on users' video camera. Zoom at first did not disable the ability for an attacker to forcibly join to a call anyone visiting a malicious site.

Using the app's UI, users can disable this

With users experiencing the issue, the vulnerability was also disclosed on both the Chromium and Mozilla teams. But since the flaw isn't a problem present on those browsers, the developers cannot do much.

According to Zoom's statement, the app installs a web server on Macs locally to save users some clicks.

After Apple changed how its Safari web browser works in a way that requires Zoom users to confirm that they really do want to launch Zoom, Zoom defends the app's local web server as a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

As a workaround to prevent Zoom in automatically turning on Macs' camera, users can patch camera issue by first ensuring the Mac app in updated to the newest version.

Then, they can continue by disabling the setting that allows Zoom to turn on the camera when joining a meeting. Alternatively, they can also run some terminal commands to turn off the web server altogether.

On July 9th, Zoom said that it is releasing a fix which would remove the hidden web server. A few days later, Apple pushed a silent update to Mac users to remove the web server.