Watch Out! Your Mac Could Be Hijacked Through This Major Security Flaw

Dhir Acharya - Jul 10, 2019


Watch Out! Your Mac Could Be Hijacked Through This Major Security Flaw

On Monday, a security researcher said that there is a security flaw in video-conferencing app Zoom that turns on your Mac webcam without consent.

The webcam on your computer has long been used as a gateway to intrude your security, that’s why there are people putting tape over their webcams such as Mark Zuckerberg. Jonathan Leitschuh, a security researcher, said on Monday that there is a security flaw in video-conferencing app Zoom.

The app is best known for the click-to-join feature, which means users just need to click a browser link to enter a video meeting in Zoom. However, according to Leitschuh’s explanation in a Medium post, several months ago, he found that the app does this feature in insecure ways that allow websites to put users on calls and activate their webcam without consent.

Your-Mac-could-be-hijacked-due-to-this-major-flaw-in-with-the-Zoom-app-1
Your Mac could be hijacked due to this major flaw in with the Zoom app

This means any webpage can denial-of-service a Mac by putting users in invalid calls repeatedly. Unfortunately, users can fix this problem by simply uninstalling the app from their computers. The click-to-join feature is enabled on your Mac because Zoom installs a web server on the device, which is able to reinstall the app without your permission.

According to the researcher in a post, if users have installed then uninstalled the Zoom client,  a localhost web server still exists on your device that's willing to re-install that for you and it doesn't require anything but visiting a webpage. The re-installing still works today.

If the Zoom app is already on your Mac computer, Leitschuh’s post gives directions with which you can neutralize the local server. In addition, it’s recommended that you activate the Turn off my video setting when joining a meeting.

Turn-off-my-video-setting-when-joining-a-meeting-in-the-zoom-app-2
Turn off my video setting when joining a meeting in the Zoom app

According to the researcher, on March 26, he reached out to Zoom and gave the company a 90-day deadline to disclose the flaw publicly. Leitschuh said that Zoom patched the problem, it disabled webpages’ ability to turn users’ webcam on automatically. However, this fix regressed as of July 7 and the webcams once again turned on without user consent.

Zoom stated that the local web server acts as a workaround for Safari 12, introduced in September 2018.

Zoom-said-that-a-local-web-server-on-Mac-devices-running-the-Zoom-client-3
Zoom said that a local web server on Mac devices running the Zoom client

The company added that Mac devices which run the Zoom client will have a local webserver. The statement says:

Zoom-said-that-a-local-web-server-on-Mac-devices-running-the-Zoom-client-4

Talking about a potential denial of service attack, the company says that it doesn’t have any records of such a vulnerability being exploited and that it fixed the flaw in May.

Comments

Sort by Newest | Popular

Next Story