1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Zoom backtracks on 'legitimate solution' that left Mac webcams vulnerable to highjacking

By Cal Jeffrey
Jul 10, 2019
Post New Reply
  1. As you may recall, we reported on Tuesday that a security researcher had discovered that video conferencing app Zoom for macOS could be used to highjack a computer’s webcam somewhat easily. The vulnerability is facilitated by a local web server that Zoom installs on the device to make it possible to join meetings with one click.

    However, a malicious website can exploit the web server by sending it a request for a video feed. Zoom was informed of the exploit but said that it did not plan to remove the feature because it was a “legitimate solution” that other service providers have used as well.

    Only hours after media accounts began going live, Zoom surprisingly reversed its stance and pushed out an immediate patch to fix the security issue followed by an official statement.

    “We appreciate the hard work of the security researcher in identifying security concerns on our platform. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”

    The update comes in two parts. The first part, which is available now from the company’s download page, “completely” removes the local web server from the Mac once the client app is updated. It also allows users to manually uninstall Zoom using a menu option in the client software. This uninstall feature removes both the app and the web server.

    The second part of the update will roll out this weekend on July 12. It will address the issue of video being on by default. For new users, the “Always turn off my video” checkbox in the client settings will be checked by default. It was previously unchecked. Existing users will need to go into the preferences and change this manually, and the software will now save these settings — something it did not previously do.

    Ultimately, the voice of users and security professionals led to Zoom deciding that the risks outweighed convenience factor provided by the local web server.

    Permalink to story.

  2. VitalyT

    VitalyT Russ-Puss Posts: 4,478   +3,037

    And the best patch thus far...

    Last edited: Jul 10, 2019
    Cal Jeffrey and psycros like this.
  3. psycros

    psycros TS Evangelist Posts: 2,715   +2,514

    Zoom's statement shows that at best their incompetent and at worst their up to no good. I don't see a rosy future for these Cisco-wannabes in either case, esp. considering that a big chunk of their business was doctor-patient conferencing.
  4. Lew Zealand

    Lew Zealand TS Guru Posts: 673   +573

    We evaluated a lot of videoconferencing apps for general use in our Org and Zoom was clearly the best product, by far the easiest to set up and use. I hope never to see WebEx, GoToMeeting, all the others again though other collaborators will always use whatever their org uses, of course.

    FWIW, I tested Zoom on my Mac today and after the test meeting, it offered to do the update mentioned here. Of course I have no video cam (and no Mic, as I found today), so the vuln here was nothing that impacted me directly.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...