Iamlittle Tech Blog

Huge security flaw with Zoom for Mac

Published on July 9th, 2019 by Duncan McClean.

Jonathan Leitschuh, a security researcher from the US has publicly disclosed a vulnerability in the Mac client for conferencing software Zoom which could allow hackers to activate your webcam without you even knowing.

The vulnerability could allow hackers to access your webcam without you ever having to be prompted. All the hacker would need to do is find a user who has, or has in the past installed Zoom on their Mac, inject a hidden iframe element (an embed) to a page on the local computer which prompts Zoom to open and start a conferencing call.

Even uninstalling Zoom from your Mac can't stop the issue. Zoom installs a local web server on your machine and after uninstalling, that web server won't go away. Zoom calls it a feature, so you can install Zoom again if you were to ever be invited to another Zoom call.

Even after Johnathan, the security researcher reaching out to Zoom multiple times, the company has still not issued a proper fix for the issue. However, they have released a blog post.

10th July - Zoom have released a software patch to their Mac client which removes the local web server

11th July - Apple have started to remove the local web server silently.