Watch Out! Your Mac Could Be Hijacked Through This Major Security Flaw
Dhir Acharya - Jul 10, 2019
On Monday, a security researcher said that there is a security flaw in video-conferencing app Zoom that turns on your Mac webcam without consent.
- Your Mac's Mouse Disappears, How To Get It Back
- North Korea Targets And Hacks Security Researchers' Computers, Google Finds
- Mac Mini Launched With Apple M1 Chip, Starting At $699
The webcam on your computer has long been used as a gateway to intrude your security, that’s why there are people putting tape over their webcams such as Mark Zuckerberg. Jonathan Leitschuh, a security researcher, said on Monday that there is a security flaw in video-conferencing app Zoom.
The app is best known for the click-to-join feature, which means users just need to click a browser link to enter a video meeting in Zoom. However, according to Leitschuh’s explanation in a Medium post, several months ago, he found that the app does this feature in insecure ways that allow websites to put users on calls and activate their webcam without consent.
This means any webpage can denial-of-service a Mac by putting users in invalid calls repeatedly. Unfortunately, users can fix this problem by simply uninstalling the app from their computers. The click-to-join feature is enabled on your Mac because Zoom installs a web server on the device, which is able to reinstall the app without your permission.
According to the researcher in a post, if users have installed then uninstalled the Zoom client, a localhost web server still exists on your device that's willing to re-install that for you and it doesn't require anything but visiting a webpage. The re-installing still works today.
If the Zoom app is already on your Mac computer, Leitschuh’s post gives directions with which you can neutralize the local server. In addition, it’s recommended that you activate the Turn off my video setting when joining a meeting.
According to the researcher, on March 26, he reached out to Zoom and gave the company a 90-day deadline to disclose the flaw publicly. Leitschuh said that Zoom patched the problem, it disabled webpages’ ability to turn users’ webcam on automatically. However, this fix regressed as of July 7 and the webcams once again turned on without user consent.
Zoom stated that the local web server acts as a workaround for Safari 12, introduced in September 2018.
The company added that Mac devices which run the Zoom client will have a local webserver. The statement says:
Talking about a potential denial of service attack, the company says that it doesn’t have any records of such a vulnerability being exploited and that it fixed the flaw in May.
Comments
Sort by Newest | Popular