Complete Story
07/10/2019
Daily Buzz: A Videoconferencing Tool’s Big Vulnerability
A Zoom vulnerability allows websites to access cameras on Macs
If your association relies on Zoom videoconferencing and uses Macs, a word of warning: Security researcher Jonathan Leitschuh has disclosed a vulnerability in the Mac Zoom Client, namely that it allows any malicious website to enable your camera without your permission.
“This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission,” Leitschuh says.
But uninstalling the software doesn’t remedy the issue, writes Dieter Bohn on The Verge.
“You can ‘patch’ the camera issue yourself by ensuring the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting,” he says. “Again, simply uninstalling Zoom won’t fix this problem, as that web server persists on your Mac.”
Leitschuh says he disclosed the issue to Zoom in March, but the company made no moves to fix the problem. In a statement to The Verge, Zoom said it developed the local web server to save users additional clicks after Apple updated Safari in a way that requires users to confirm if they want to launch Zoom each time they click a meeting link. The company defended the decision, saying it was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.”
However, after widespread backlash on Tuesday, the company had something of an about-face, releasing an emergency patch that could remove the web server entirely.
“We also recognize and respect the view of others that say they don’t want to have an extra process installed on their local machine,” the company’s chief information security officer, Richard Farley, told The Verge Tuesday evening. “So, that’s why we made the decision to remove that component—despite the fact that it’s going to require an extra click from Safari.”
Please select this link to read the original article from Associations Now.
