A vulnerability in the Mac version of Zoom, the popular video conferencing application, could allow a hacker to turn on a user’s video camera without their authorization or disrupt their computer via a denial-of-service attack, according to research published Monday.
The vulnerability, found by security researcher Jonathan Leitschuh, exists in a Zoom feature that lets a user send a meeting invite via a web link. By clicking the link, a user is launched into a video call. But a phishing campaign or a website laced with malicious advertisements could take advantage of those links, Leitschuh said.
Leitschuh, a software engineer at the engineering organization Gradle, published his findings Monday on the blogging platform Medium after Zoom failed to fix the problem within 90 days.
“An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack,” he wrote.
Asked how many Zoom Mac users there were, a company spokesperson said Zoom doesn’t disclose such figures, but said the vulnerability affects a significant portion of its customer base.
Zoom, which claimed 40 million users as of 2015, has patched the denial-of-service (DOS) vulnerability. It plans to update the application Friday to make it easier for users to keep their web cameras off by default. There haven’t been any reported cases of the vulnerability being abused, the San Jose, California-based company said.
Zoom chief information security officer Richard Farley said it would be “readily apparent” to users if they had unintentionally joined a meeting, and that they could immediately leave the meeting or change their video settings.
“Our determination was that both the DOS issue and meeting join with camera on concern were both low risk because, in the case of DOS, no user information was at risk, and in the case of meeting join, users have the ability to choose their camera settings,” Farley wrote in a blog post.
The company required Leitschuh to sign a non-disclosure agreement (NDA) before receiving a bounty for the vulnerability. Leitschuh declined, saying he wanted to make the vulnerability public to protect users. While Zoom asserted that the NDA was standard practice, some cybersecurity experts criticized the tactic.
It’s called a bug bounty, not a bug bribe. https://t.co/GZYoNQudAN
— Beau Woods (@beauwoods) July 9, 2019
The security issues discovered by Leitschuh highlight the risk associated with default settings on popular applications that a user might overlook. Even if you’ve uninstalled the Zoom Mac application, a “local-host” web server will remain on your computer and reinstall the application, according to Leitschuh.
Following criticism of that feature, Zoom announced a patch for it on Tuesday.
UPDATE, 6:02 pm, E.D.T: This story has been updated with Zoom’s announcement that it would patch the web-server feature.