Zoom Mac Client Vulnerability Enables Cameras Without Permission

Have you used Zoom for web conferencing, podcasting, or anything else? Be aware that there is a vulnerability in the Mac Zoom Client that can enable your camera without your permission. Uninstalling Zoom does not fix the problem.

Jonathan Leitschuh posted a very detailed article on Medium explaining the situation. In short, the vulnerability in the Mac Zoom Client allowed any malicious website to enable your camera without your permission. According to Jonathan Leitschuh, this issue potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

If I’m understanding this correctly, the vulnerability takes advantage of a Zoom feature that allows users to send anyone a link. When the person opens that link in their browser, the Zoom client opens on their machine. A mean-spirited person could embed a specific piece of code into a website. When a Zoom users visits that website, the user will be connected to Zoom with their video running.

Zoom posted a “Response to Video-On Concern” on the Zoom blog. In the blog, Zoom explains that “if the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed.”

Zoom explains that the Zoom client runs in the foreground upon launch. It would be readily apparent to a user that they had unintentionally joined a meeting, and the user could change their video settings or leave the meeting immediately. According to Zoom, “we have no indication that this has ever happened.”

You can click on a link in the Zoom blog to connect with their support team. Zoom says it will go live with a public vulnerability disclosure program in the next several weeks. Until then, I recommend putting a sticker over your camera.