Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Desktops (Apple) The Internet

Serious Zoom Security Flaw Could Let Websites Hijack Mac Cameras (theverge.com) 54

Security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conference app on Macs that could allow websites to turn on user cameras without permission. The Verge reports: He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That's possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn't. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention. Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh's account, Zoom doesn't appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it's not an issue with their browsers, there's not much those developers can do. The report notes that you can "patch" the vulnerability by making sure the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting. "Again, simply uninstalling Zoom won't fix this problem, as that web server persists on your Mac," reports The Verge. "Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post."
This discussion has been archived. No new comments can be posted.

Serious Zoom Security Flaw Could Let Websites Hijack Mac Cameras

Comments Filter:
  • by mrwireless ( 1056688 ) on Tuesday July 09, 2019 @12:37AM (#58894390)

    This is why I use the Oversight app by Objective See. It lets you know when something is accessing your webcam or microphone.
    https://objective-see.com/prod... [objective-see.com]

    Their other apps are amazing too, and they're all donation ware. Made by a guy who used to work at Apple.
    https://objective-see.com/prod... [objective-see.com]

    • by vlad30 ( 44644 )
      Piece of Black tape never use the webcam anyway
      • by AHuxley ( 892839 )
        Software to tell you what wants to use the webcam is good too.
        • Can you trust the software? I'd at least like an indicator light controlled by firmware. But a stick on lens cap is cheaper and more reliable and perhaps the simplist user interface.

      • Tape doesn't block the microphones on your device. The only truely good option would be to have a physical switch that electrically and manually disconnects the webcam and microphones when you want them off.

        Unfortunately, I don't know of one single laptop mfg that does that. The second best is to at least have a firmware controlled LED that lights up when either is active. My 2015 MBP has an LED for the webcam but not the microphones, and I don't know if that LED is tied directly to webcam activity.

    • by AHuxley ( 892839 )
      1+ for Oversight.
    • by ShanghaiBill ( 739463 ) on Tuesday July 09, 2019 @02:45AM (#58894580)

      This is why I use the Oversight app by Objective See. It lets you know when something is accessing your webcam or microphone.

      How many times has it triggered?
      Which apps / sites triggered it?

  • I keep wondering why people install apps when modern browsers have things like webRTC built into them. WHy Skype or Zoom or goToMeeting when there's WebRTC? What's the benefits?

    • by Anonymous Coward

      WebRTC is a protocol (like TCP/IP and HTTP) but it does nothing for managing contacts, recording historical conversations, or conducting advanced features like remote-control assistance or user polling. Those features require some multi-channel platform.

    • by Anonymous Coward

      Because some people's employers require it for meetings.

      • by crow ( 16139 ) on Tuesday July 09, 2019 @07:46AM (#58895262) Homepage Journal

        My employer uses Zoom for meetings, and when you use a Zoom link, it tries to get you to install their application, but if you pay attention, you can skip that and just do it all in the browser, and it works great. I've seen no reason to install their software.

        • I tried that, but I've found that over lower-bandwidth connections, it tends to bog down pretty hard (you can only listen to someone's voice rubber-banding for so long before it becomes a massive irritant.)

    • I keep wondering why people install apps when modern browsers have things like webRTC built into them. WHy Skype or Zoom or goToMeeting when there's WebRTC? What's the benefits?

      The fact that you're point out just a protocol (and not product) aside...

      Because of stupid/cheap partners who you spend a zillion dollars with, yet they insist you use their Zoom app. Because vendors want to use it, and suddenly have all kinds of problems using Webex like normal people do. Because some cheapskate PHB in your multi-billion-dollar employer went 'oooh!' and 'ahh!' at the pretty UI, and now they demand that the rest of the corp (including *you*) use stuff like Zoom... and they're high up enough

  • by Anonymous Coward on Tuesday July 09, 2019 @03:00AM (#58894620)

    From the Medium post:


    # Disable automatic video start for all users:
    sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
    # Get the webserver process ID
    lsof -i :19421
    # Kill the webserver process, where $pid is the PID listed from above
    kill -9 $pid
    # Cleanup the zoom directory, prevent recreate
    rm -rf ~/.zoomus
    touch ~/.zoomus
    # Optionally delete the zoom.us app from Applications

  • by Anonymous Coward on Tuesday July 09, 2019 @03:19AM (#58894660)
    Let them hijack the camera on my MacBook, and let them watch the footage, they will be psychologically scarred for life, the things they'll see will haunt them in their dreams in ways that not even drugs can alleviate.
  • by Ronin Developer ( 67677 ) on Tuesday July 09, 2019 @04:16AM (#58894772)

    I just discovered it on my Mac. It was installed for a recent job interview.

    Terminated with extreme predictive.

    Shit like this pisses me off.

  • by Anonymous Coward

    https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/

  • by mellon ( 7048 ) on Tuesday July 09, 2019 @09:39AM (#58895664) Homepage

    The risk here is that somebody will trick you into starting a zoom session with you, and you won't notice, despite that the app will pop up when you click on the link, and despite that the camera light will come on.

    This is not a zero-day. This is not a root exploit. This is a trojan horse, and not a very effective one—it can't install itself and persist. It is deeply unfortunate that this is being described as a "zero-day exploit." The effect that disclosures like this have is to make us stupider, not smarter.

    • by Anonymous Coward

      I think the bigger news is this little web server that was installed without any documentation that never cleans itself up.

    • Yea, given that Zoom is now public, this smells like somebody trying to depress the stock. Is it concerning..sure...is it as serious as the clickbait titles portray it to be. Not really.
  • My webcam has a flap of cardboard over it at all times except when I decide I want to use it. I suppose a trojan could still watch me during the times I uncover it, but the scope for damaging exploits is considerably reduced.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...