Patrick Domingues

The Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 4 million workers that use the Zoom for Mac web-and videoconferencing service.

 According to a researcher Jonathan Leitschuh (he noted that Mac users make up about 10 percent of Zoom’s customer base of 4+ million). An outside adversary would need only to convince a user to visit a malicious website with a specially crafted iFrame embedded, which would automatically launch a Mac user into a Zoom web conference while turning on their camera.

Leitschuh disclosed “I was very easily able to spot and describe bypasses in their planned fix,” he said. “Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.”

“I advised Zoom that if they have any users that are still using Zoom 4.1.33259.0925 versions or lower, this would be a very potent attack,” the researcher said.

The patch, available here, removes the local web server entirely, once the Zoom client has been updated. Also, the platform now allows users to manually uninstall Zoom.

• Tackling Shadow IT: The Unseen Network Security Risk
• How to Spot and Report Cybercrime Effectively
• IT Management Strategies For Startups
• 3 Common Mistakes in IT Operations You Can’t Afford to Make
• How Generative AI Impacts Email Security