According to a Medium post by security researcher Jonathan Leitschuh, the video conferencing app Zoom has a serious flaw that could allow a website to access your Mac’s camera without your knowledge or permission. The flaw made around 750,000 companies around the world vulnerable to the bug.
The bug allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s consent. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call, as per medium post.
Leitschuh also found that even if a user uninstalled Zoom on their Mac, a localhost web server running silently on your Mac which could remotely re-install it without requiring any user interaction. The bug uses the Zoom feature where you can just send a link to meeting invite and when they open that link in their browser their Zoom client is magically opened on their local machine.
In response, the company said, “In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”
Zoom defends the decision to install a local web server by saying that it was made to streamline the user experience as it applied to join meetings and that the company is “not alone among video conferencing providers in implementing this solution.”