Webcam flaw lets hackers spy on people through Mac video conference app Zoom

More than 4 million webcams are at risk to the security flaw

Anthony Cuthbertson
Tuesday 09 July 2019 16:38 BST
Comments
A serious vulnerability with the Zoom video conference app could allow hackers to spy on people through their webcams
A serious vulnerability with the Zoom video conference app could allow hackers to spy on people through their webcams (Getty Images/iStockphoto)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A major vulnerability in a video conferencing app for Apple Mac computers has been discovered by a security researcher, which if exploited could allow hackers to spy on people through their webcams.

Software engineer Jonathan Leitschuh uncovered the bug within the Zoom app, and warned users that simply uninstalling the app would not fix the issue.

In a Medium post detailing the security flaw, Mr Leitschuh estimated that more than 4 million webcams were at risk, together with 750,000 companies around the world.

"This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission," he wrote.

"Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a local host web server on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage."

The vulnerability works by exploiting a feature in Zoom that allows people to send a meeting link for a video conference call.

This link essentially allows the site to forcibly initiate a video call through the Zoom app, without the person on the other end having to accept.

The vulnerability was originally reported to Zoom in March, Mr Leitschuh wrote, though only implemented a flawed "quick fix" solution that did not fully address the issue.

"Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner," he wrote.

"An organisation of this profile and with such a large user base should have been more proactive in protecting their users from attack."

The Zoom app has more than 40 million downloads, so security researcher Jonathan Leitschuh estimated that with Macs making up around 10 per cent of the PC market, then around 4 million people were at risk
The Zoom app has more than 40 million downloads, so security researcher Jonathan Leitschuh estimated that with Macs making up around 10 per cent of the PC market, then around 4 million people were at risk (Stephen Lam/Getty Images)

Zoom did not respond to a request for comment from The Independent​.

In a statement provided to ZDNet, Zoom said that the use of a local web server on Macs was a "workaround" to changes introduced in the Safari 12 web browser.

The firm called it a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator".

While uninstalling the app would not prevent the vulnerability from being exploited, Mr Leitschuh noted that users could protect themselves by disabling the ability for Zoom to turn on the webcam when joining a meeting.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in