Security vulnerability in Zoom video conferencing app lets hackers spy on Mac users via webcams; company released emergency patch

Zoom app has a major vulnerability. The app, which is designed to  let businesses hold video conference meetings by clicking on a web link, can now let hackers spy on mac users via webcams, according to a discovery by security researcher, Jonathan Leitschuh. Millions of Zoom video-conferencing Mac users may be vulnerable to attack due to security flaw in Zoom app installed on their machines.

Leitschuh discovered the vulnerability in the Mac Zoom Client that allows any malicious website to enable their Mac camera without their permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business. Zoom later confirmed the report and issued an emergency patch later today after initially saying that it wouldn’t issue a full fix for a vulnerability.

The fix, provided and detailed in one of many updates in Zoom’s blog post, will now “remove the local web server entirely, once the Zoom client has been updated,” to take away the ability for a malicious third party to automatically activate webcams using a Zoom link. The vulnerability arises from the fact that Zoom installs a local web server onto Mac computers that install its application, which allows the platform to bypass security measures in Safari 12 that prompt users with a dialogue box to confirm when joining a new meeting.

Zoom also promised to have a fix shipped by midnight tonight pacific time removing the hidden web server. In addition, Zoom has a planned release this weekend (July 12) that will address another security concern: video on by default. With this release: 1. First-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. 2. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.

Below is a timeline of security updates Zoom provided on its website.

[UPDATE 2:35 pm PT, Tuesday 7/9] The July 9 patch to the Zoom app on Mac devices detailed below is now live. You may see a pop-up in Zoom to update your client, download it at zoom.us/download, or check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.

[UPDATED 1:15 pm PT, Tuesday 7/9] We appreciate the hard work of the security researcher in identifying security concerns on our platform. In response to these concerns, here are details surrounding tonight’s planned Zoom patch and our scheduled July release this weekend:

JULY 9 PATCH: The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following: 1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device. 2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.