CNET también está disponible en español.

Ir a español

Don't show this again

Computers

Your Mac could be hijacked through major security flaw in Zoom conferencing app

A security flaw in Zoom's Mac app lets websites join you to video calls without your permission.

Zoom says the flaw was born out of a workaround for Safari 12.

Sarah Tew/CNET

Your computer's webcam has always been a gateway for potential security intrusion, which is why people like Mark Zuckerberg and ex-FBI head James Comey put tape over theirs. On Monday, security researcher Jonathan Leitschuh gave Mac users another reason to fret over their webcams -- there's a security flaw in the Zoom video-conferencing app.

Zoom is most notable for its click-to-join feature, through which clicking on a browser link takes you directly to a video meeting in Zoom's app. But Leitschuh in a Medium post explained that he months ago discovered Zoom achieves this in insecure ways, allowing websites to join you to a call as well as activating your webcam without your permission.

He added that this would allow any webpage to denial-of-service a Mac by repeatedly joining you to an invalid call. Uninstalling the Zoom app from your Mac isn't enough to fix the problem, either. Zoom achieves its click-to-join function by installing a web server on your computer -- which can reinstall Zoom without your permission.

"If you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you," Leitschuh writes, "without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day."

1-mrgy9jojkkjsrp-xjsyomw

Here's the first setting you should change in Zoom.

Jonathan Leitschuh/Medium

For those of you who have the Zoom app installed on your Mac, Leitschuh, in his Medium post, lists directions to neutralize the local server in his Medium post. You should also activate the Turn off my video setting when joining a meeting, as seen above.

The researcher said he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days. He said Zoom patched the issue, disabling the ability of a webpage to automatically turn on your webcam, but still this partial fix regressed on July 7, allowing webcams to once again be turned on without permission.

Now playing: Watch this: The top 3 upgrades in MacOS Catalina
4:39

In a statement, Zoom said the local web server is a workaround for Apple's Safari 12 web browser, introduced last September.

"Zoom installs a local web server on Mac devices running the Zoom client," the statement reads. "This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting. We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

In regard to a potential denial of service attack, Zoom says it has no record of such a weakness being exploited, and says it fixed that security flaw in May. 

Along with the likes of Slack, Uber and Pinterest, Zoom is one of many tech companies to go public in 2019. It raised $356 million upon its April 18 IPO, with its shares trading as high as $66 on that day. The stock has risen since, currently sitting at around $90.70.