The Mac version of Zoom, a video conferencing app, has serious flaws left unaddressed despite disclosures. When visiting a malicious website, hackers can activate your camera without permission. If you uninstalled Zoom, the malicious site can reinstall it without your interaction.
Security researcher, Jonathan Leitschuh, noticed that Zoom has the capability to auto-join and start a video session just by visiting a link. He wondered how the company securely accomplished the feat and investigated. He quickly found out that that Zoom’s methods weren’t secure at all.
When you install Zoom on a Mac, it creates a web server on your machine. The web server is problematic on multiple levels. With just a few options, Leitschuh put together a proof of concept website. If you have Zoom installed and visit that website, you will be auto-joined to a call, and your webcam activated without any interaction on your part—even if you closed Zoom before clicking the link.
Worse yet, uninstalling Zoom doesn’t remove the web server. The web server can reinstall Zoom on its own as well. So if you visit a malicious link, it can reinstall Zoom, join you to a call, and start your webcam, all without any interaction from you.
You can test this at Leitschuh’s proof of concept, but be advised if you have Zoom installed your camera will start, and you’ll find yourself joined to a call with other people testing the site. Leitschuh notified Zoom of his findings along with a 90-day disclosure grace period. Unfortunately, the company didn’t do much to fix the problem.
Initially, the company brushed the whole thing off as part of the features it supports. Zoom eventually implemented a mild fix that prevents the camera from turning on, but malicious actors can still force users to join a call and reinstall Zoom.