Serious Zoom security flaw could let websites hijack Mac cameras – Synopsys


A security flaw reported in Zoom video conferencing software allows any website to turn on your Mac computer camera remotely without permission — even if you have uninstalled it previously. The vulnerability was reported over 90 days ago, but the Zoom team has yet to offer a proper security patch, putting over 4 million users at risk.

Boris Cipot, Senior Security Engineer at Synopsys Integrity Group made comments on this vulnerability and what can users do to mitigate their exposure. He said, “All software has the potential to be vulnerable, and we can’t expect a company that provides proprietary software to be able to fix vulnerabilities immediately. The good thing is that once researchers disclose a vulnerability, they usually try to also offer a mitigation procedure or give you possible ways to mitigate the issue until a fix has been found. Users should monitor the software they’re using (operating systems, applications and their extensions), patch them when needed and mitigate any vulnerabilities disclosed. Nobody else will do it for you.

How serious is the threat?
Every security vulnerability brings threats and they should be treated as highly risky. This vulnerability however brings with it another level of risk for those who were just using Zoom as an invitee into a Zoom session. Imagine that you or your company decided to use Zoom as your meeting provider, you are doing all the necessary things to monitor the application and mitigate its vulnerabilities. But if you are usually not using Zoom and it just happened that you were invited in a Zoom session, you have the risk or the vulnerability also on your device and are not even aware this risk exists. This means that you are now a potential target for someone who wants to use this vulnerability as well–in this case to lower the performance of a machine or join a call with the camera activated without the user’s permission which is a substantial privacy intrusion.

How easy is it for an attacker to exploit this issue?
The attacker does not have to have the user’s permission to join a Zoom call. This means that the vulnerability is easy to exploit. In the described attack vector in the article, any web page could interact with the local web server and abuse the vulnerability. That being said, the vulnerability would be triggered if the target were to visit a site that abuses the vulnerability. Even if this is a scenario that will most probably not happen, think about phishing attacks. As said, the vulnerability is on your Mac already if you’ve used Zoom as a participant in a call. An attacker could theoretically carry out phishing attacks, spam or other attack strategies where the user would need to click a link, lure protentional victims on such a page and join them in a call without them knowing.

What can organisations do to mitigate their exposure to this threat?
The article by Jonathan Leitschuh delivers not only a good description of the problem but also a good mitigation procedure. He proposes to disable the ability for Zoom to switch on your camera automatically when joining a call. You can do this in the Zoom settings by selecting the option “Turn off my video when joining a meeting” or by using the Terminal. Also shut down the local Zoom web server that is running on your Mac and prevent it being run again after the update. The description how to do it is in the article. Also monitor Zoom for any notifications on patches and fixes for this vulnerability.