A security researcher on Monday has revealed a zero-day flaw,questioning the use of a local host server in the Mac client of popular video conferencing service Zoom. This allows websites to force a user into a call with their camera enabled. Researcher named Jonathan Leitschuh disclosed the issues in a blog post this week, claiming that the Zoom bug allows malicious websites to enable cameras without user permission by taking advantage of a feature this is designed to let users quickly join video calls.
The issue which is believed to only impact Apple users exists because Zoom installs a web server on Macs when it is first installed. According to the company, “It is intended for convenience: to circumvent an update to Safari that asks users to accept launching the client before every call. Detailed in a proof of concept, the flaw allows websites to initiate a video call on any Mac that has, or in some cases has had, the Zoom app installed. Depending on Zoom’s app version, a nefarious website is able to trigger a video call with a simple launch action or an iframe exploit. “
Zoom notifies its users that they have the ability to avoid exposure by electing to disable video when joining a meeting the first time the program runs. Users must be proactive to maintain that protection, however.
“All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF,” Zoom told ZDNet. “For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting. Additionally, system administrators can pre-configure video settings for supported devices at the time of install or change the configuration at anytime.”