A security researcher recently reported a newly discovered security flaw hiding deep in Zoom, a video conferencing app for Macs. The said flaw can essentially highjack an affected device's camera. The flaw was discovered and reported by Jonathan Leitschuh.
The security was reported as a zero-day vulnerability. This means that it is serious and merits an immediate fix. According to Leitschuh's investigation, any website can access and open almost any video-enabled call running on a Mac machine provided that the Zoom app is installed. This is made possible because Zoom is installed with an accompanying web server which accepts certain requests which are not normally available on a browser. The even riskier side of the flaw is that the Mac web server is not removed even if the Zoom is uninstalled on the system.
Following Leitschuh's discovery, a number of tech publications have reached out to him and confirmed that the flaw does exist. A number of Mac users have also vented out their frustrations on a number of social media platforms about this perceived security flaw.
Leitschuh said that prior to publicizing the security flaw, he did reach out to developers of Zoom way back in March. He said that he gave the company 90 days to create a patch that will solve the flaw. He concluded that Zoom developers did not do due diligence.
Leitschuh said that the same vulnerability was disclosed to teams from Chromium and Mozilla. However, since the flaw is not their browser's issue, not much can be done with it.
Zoom developer has yet to respond to this report. However, some users have managed to put together a workaround in order to patch this issue. First, they are told to have their Mac software be updated to the latest version. Next, they are told to disable the setting in Zoom that automatically turns on the webcam upon joining a meeting.
Zoom claims that the workaround does temporarily fix the issue. In a statement the company described the workaround as "a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
It is important to note here that simply uninstalling the Zoom app does not fix the issue since removing it from a system does not remove the installed web server. Turning off the installed web server requires running a number of commands on the terminal.