Zoom, a popular video conferencing software, was recently found to contain a serious security vulnerability that left millions of Mac users at risk. According to security researcher Jonathan Leitschuh who detailed the matter in a post on Medium, the security flaw could potentially be used by an attacker to access on a Mac’s webcam without the user’s permission.
The vulnerability impacts the Mac Zoom Client, according to Leitschuh, who explained on Medium that ‘any malicious website’ could access a Mac’s webcam without permission. In addition, the security researcher found that this same security issue made it possible for any Web page to DOS a Mac user by having that user repeatedly join an invalid call.
Of particular issue, Leitschuh found that even if a Mac user had uninstalled the Zoom client, a localhost web server would remain on the user’s machine that re-installed the client without any interaction from the user beyond visiting a Web page. This presented a massive risk for the vast number of companies that use Zoom as a daily way to video conference and more.
As first spotted by TechCrunch, Apple has quietly released a Mac update that removes this hidden web server, preventing it from re-installing the client after the user has uninstalled it. MacOS users aren’t required to take any action in relation to this update — everything is automatic.
Apple’s move will ensure Mac users are protected from the hidden web server vulnerability, but this won’t impact the Zoom app’s functionality. The move follows Zoom’s own update released on July 9, a day after the security report was published. Users should update the client; manual downloads can be found here.