And we’re back at the age-old laptop webcam conundrum. Ever since the world saw that even Mark Zuckerberg covers his webcam, we’ve become all the more sceptical about those little sensors. Now, if you use Zoom video conferencing software on your Mac computer, any website you’re visiting in your web browser can turn on your device camera without your permission. For reals.
Zoom outta here
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
Even if you had ever installed the Zoom client on your device and simply uninstalled it, a remote attacker can still activate your webcam. This is according to a Medium post written by Jonathan Leitschuh, a cybersecurity researcher. He disclosed details of an unpatched critical security vulnerability in the Zoom client app for Apple Mac devices, which, if combined with a separate flaw, could allow attackers to access the webcam and the device itself.
And even though Jonathan reported the security vulnerability to Zoom over 90 days ago, they still failed to roll out a proper security patch. Which just puts the privacy and security of over 4 million users at risk. Nice one, Zoom…
Gotta fix it
The flaw is a result of a Zoom feature that triggers a client when a meeting link is clicked. Unless the user has explicitly configured their Zoom client to disable video on joining meetings, their video is immediately shared with anyone they are in a Zoom call with, including any attacker who has exploited the vulnerability to trigger a video call.
To fix the issue, Leitschuh advises Mac users who have the app installed to update to the latest version and then click a button in settings to “Turn off my video when joining a meeting.” Or you can, you know, just cover your webcam with a sticker and hope for the best.