AfterDawn: Tech news

Zoom flaw put Mac webcams at risk of hijacking, says researcher

Written by James Delahunty @ 09 Jul 2019 11:36

Zoom flaw put Mac webcams at risk of hijacking, says researcher

Some Macs may have been vulnerable to webcam hijacking due to a flaw in how the Zoom video conferencing app handled one-click-joining.
Zoom aims to make it as easy as possible to add users to a video conference. One of its selling points is that users can join a video conference session by clicking on a link. However, the way in which this was achieved posed some security risks.

Researcher Jonathan Leitschuh found that the Mac version of the app installs a web server on the local machine. The web server left the user's computer open to certain attacks.

For example, an attacker could send a target a link to a maliciously crafted website that would join the user to the Zoom call with their webcam activated. A malicious page could also effectively carry out a denial of service attack on the Mac by repeatedly forcing the user to join an invalid call.



Another issue noted by Leitschuh is that even after the Zoom client is installed, the local web server remains and can be tricked to reinstall the Zoom client by visiting a malicious webpage.

The Windows version of the software is not vulnerable.

The first flaw which could force users into a conference call with the webcam activated did not affect any use that manually changed a setting that turned video off when they joined a meeting.

An update has been pushed out by Zoom that ensures video is turned off on joining a meeting by default. Zoom also disputed the scale of Leitschuh's claims.

The developer also said that there was no evidence of the flaw being exploited in the wild, and that had users been targeted in this way it would have been very clear they had unintentionally joined a video conference, as the software is forced to the foreground.

Tags: Zoom
Previous Next  
Comments have been disabled for this article.

Latest news

VLC hits milestone: over 5 billion downloads VLC hits milestone: over 5 billion downloads (16 Mar 2024 4:31)
VLC Media Player, the versatile video-software powerhouse, has achieved a remarkable feat: it has been downloaded over 5 billion times.
1 user comment
Sideloading apps to Android gets easier, as Google settles its lawsuit Sideloading apps to Android gets easier, as Google settles its lawsuit (19 Dec 2023 11:09)
Google settled its lawsuit in September 2023, and one of the settlement terms was that the way applications are installed on Android from outside the Google Play Store must become simpler. In the future, installing APK files will be easier.
8 user comments
Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets (06 Jun 2023 9:19)
Roomba Combo j7+ is the very first Roomba model to combine robot vacuum with mopping features. And Roomba Combo j7+ does all that with a very clever trick, which tackles the problem with mopping and carpets. But is it any good? We found out.
Neato, the robot vacuum company, ends its operations Neato, the robot vacuum company, ends its operations (02 May 2023 3:38)
Neato Robotics has ceased its operations. American robot vacuum pioneer founded in 2005 has finally called it quits and company will cease its operations and sales. Only a skeleton crew will remain who will keep the servers running until 2028.
5 user comments
How to Send Messages to Yourself on WhatsApp How to Send Messages to Yourself on WhatsApp (20 Mar 2023 1:25)
The world's most popular messaging platform, Meta-owned WhatsApp has enabled sending messages to yourself. While at first, this might seem like an odd feature, it can be very useful in a lot of situations. ....
18 user comments

News archive