Flaw lets ANYONE turn your Mac webcam on remotely and spy on you with video using ‘Zoom’ app
A FLAW in a popular Mac app allowed any website to turn on your webcam without your permission.
The bug – which affected the Zoom video chat app – would work even if you had uninstalled the software from your Mac computer.
Zoom is a hugely popular video-conferencing app used by businesses around the world.
It’s estimated that as many as 750,000 companies use Zoom for day-to-day business.
And this rogue bug could leave unsuspecting users open to spying, blackmail and hacking.
The design blunder was first spotted by security researcher Jonathan Leitschuch, who published a blog post detailing how it works.
Leitschuch claims to have told Zoom about the bug back on March 26.
But he says Zoom took 10 days to confirm the flaw, and that a fix was only implemented on June 24.
The fears is that any number of Zoom’s 4million users may have been spied on.
Hackers could have exploited a setting that automatically turned a user’s webcam on when they joined a meeting.
Crooks simply needed to trick targets into joining a meeting without them realising, effectively setting up a remote video feed in the background.
But it gets worse: the bug still worked even if you had uninstalled Zoom.
“The local client Zoom web server is running as a background process, so to exploit this, a user doesn’t even need to be ‘running’ the Zoom app to be vulnerable,” Leitschuch explained.
“All a website would need to do is embed the [code] in their website and any Zoom user will be instantly connected with their video running.
“This could be embedded in malicious ads, or it could be used as part of a phishing campaign.”
Mac Zoom breach – advice from the experts
Here's what Lamar Bailey, cybersecurity expert at Tripwire, had to say...
- “This is a good example of why you should never overlook physical security.
- “The little adhesive camera covers available by the dozens at every computer conference or for a couple pounds on Amazon are a much better solution that relying on software to do the right thing.
- “We install so many apps these days it is hard to keep up with the permissions they require and what they turn on by default on upgrades and reinstalls.
- “A physical barrier is far superior.
- “The same holds true for all assets everything should have the least common privilege.
- “If a system does not need access to the internet then it should be blocked and any unrequired services should be disabled.
- “The more access a system or network has the more susceptible it is to breach.”
In a statement, a Zoom spokesperson admitted the design flaw, and denied that it had ever been abused.
“Zoom is working with a security researcher who raised concerns about video-on-by-default as a security vulnerability,” the spokesperson said.
“Zoom by default turns on the video of a user when they join a meeting.
“This could, in theory, create the potential for a hacker to trick a target into joining a video meeting on camera.
“Of note, we have no indication that this has ever happened.”
It’s important to note that this wasn’t a bug with Mac computers, but with the Zoom app specifically.
We’ve asked Zoom and Apple for comment and will update this story with any response.
MOST READ IN TECH
We recently warned over 111 popular Android apps that destroy your phone’s battery life.
Earlier this year, Apple revealed a brand new (and very expensive) Mac computer.
And die-hard Apple fans will want to read all about the rumoured iPhone 11.
Do you trust your laptop camera? Let us know in the comments!
We pay for your stories! Do you have a story for The Sun Online news team? Email us at tips@the-sun.co.uk or call 0207 782 4368 . We pay for videos too. Click here to upload yours.