Latest in Gear

Image credit: Kena Betancur via Getty Images

A flaw in Zoom's Mac app may have let attackers hijack webcams

The company released a 'quick fix' but hasn't addressed the underlying issue.
216 Shares
Share
Tweet
Share
Save

Sponsored Links

Kena Betancur via Getty Images

A serious security flaw in the Mac version of conferencing software Zoom can hijack webcams, but also leave users vulnerable to phishing and DOS attacks.

The flaw takes advantage of Zoom's click-to-join feature. The exploit can force users to join a conference with their webcams enabled, without their permission, if they click a special link in their browser.

The security issue occurs because Zoom installs a local web server that runs in the background on Macs. But this web server has poor security, and any website that a user visits can interact with it and make changes to users' machines. Worryingly, even if a user uninstalls Zoom, the web server remains active and can be used to reinstall the Zoom client when a user visits a webpage.

Security researcher Jonathan Leitschuh, who discovered and reported the vulnerability, warned that this could be used for two types of attacks: users could be lured into meetings with their cameras turned on, in order to gather information for phishing attacks, or users' machines could be the target of Denial of Service (DOS) attacks by sending repeated junk requests to the local server.

Traditionally, desktop and web applications are sandboxed to prevent this kind of cross-communication. When Zoom was made aware of the security issue, it released a quick fix solution which saved users' settings for whether video is enabled when they join a call, so users can at least have their cameras off by default. However, the fix did not address the underlying issue of the insecure local web server.

The company defended its decision in a blog post, saying that without the use of the web server, users would have to click to confirm they wanted to start the Zoom client before joining a meeting. "The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings." It also noted that it has no indication that the exploit has never been used, and even if it were to be used, users would see they had unintentionally joined a meeting and could leave immediately.

Whether the convenience of not having to click one extra button is worth the huge security issue created by the insecure web server is not a topic Zoom is keen to debate. In a statement to Gizmodo, the company said "one-click-to-join meetings" were its "key product differentiator" and it has not announced any plans to address the insecure web server issue.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
216 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Qualcomm teams up with 'Pokémon Go' developer to make AR glasses

Qualcomm teams up with 'Pokémon Go' developer to make AR glasses

View
Qualcomm pushes for cheaper Snapdragon PCs with its 7c and 8c chips

Qualcomm pushes for cheaper Snapdragon PCs with its 7c and 8c chips

View
Microsoft's redesigned Office mobile apps read text out loud

Microsoft's redesigned Office mobile apps read text out loud

View
'NHL 20' adds Snoop Dogg as a commentator and playable character

'NHL 20' adds Snoop Dogg as a commentator and playable character

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr