Snippet: Vulnerability in the Mac Zoom Client Allows Access to Camera ☇

Jonathan Leitschuh:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

Yikes. There’s plenty of criticism about how Apple has made the Mac more iOS-like, but things like this demonstrate why locking down certain aspects of the platform and denying permission to some system resources may not be a bad idea. Fortunately, at the end of the post, there are instructions to mitigate some of the issues.