Earlier this year, Apple faced a major security crisis when its Group FaceTime was reported to have a bug that would let people spy on iOS users by simply calling them. Now its the turn of Mac users to experience the same but, fortunately, it isn’t applicable to all Mac owners nor is it Apple’s bug to fix. Unfortunately, the Zoom video conferencing app for Macs is so popular that this serious exploit all the more dangerous.
Software developers will naturally take steps to make their products as easy to use as possible but sometimes those methods can have terrible side effects. In the case of Zoom, it installs a local webserver on the Mac to make it easy for users to join video conferences by simply clicking on a link. Unfortunately, it also leaves them vulnerable to hackers.
Click on one such “join” link could give a remote attacker access to the user’s camera with no need for the user’s content. This, according to security researcher Jonathan Leitschuh, is due to the implementation terrible security. It is also due to the fact that Zoom even needs a webserver to do its magic.
That web server is pretty much the root of all Zoom’s ills. Even uninstalling Zoom doesn’t fix it because, using that same exploit, the app could be re-installed by clicking on a link as well. All of these without any interaction from the user.
Zoom’s response, however, isn’t encouraging either. While it acknowledged existence of the bug, Leitschuh says that the “quick fix” the company implemented doesn’t sufficiently address the problem. Worse, it seems that Zoom is unwilling to move away from its webserver-based magic to something more secure, all for the stated purpose of making lives easier, but also less secure, for its users.