Video-conferencing app Zoom for Mac has a serious security flaw that could lead to malicious websites joining video calls without permission, security researcher Jonathan Leitschuh wrote in a Medium post.
The app lets people send a meeting link to join a video conference. However, according to Leitschuh, Zoom failed to securely introduce the feature. The vulnerability, besides allowing websites to join video calls and access users' webcams, can also be used to carry out a DOS (Denial of Service) attack by repeatedly joining a user to an invalid call.
Just uninstalling the app will not fix anything either, since the app can be reinstalled without the user’s permission.
“Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”
Leitschuh first contracted Zoom in March regarding the vulnerability. While the company has introduced a fix to the problem, Leitschuh believes it to be insufficient, and disclosed a way for users to patch the vulnerability themselves, disabling Zoom's ability to turn on the user's webcam when joining a meeting. He also offered a way to shut down the Zoom web server.