Beware! Video conferencing app ‘Zoom’ has a major vulnerability

A security researcher Jonathan Leitschuh has publicly revealed major vulnerability in Zoom — a video conferencing app, on Macs. He disclosed that any website can open up a video-enabled call on Mac with the Zoom app installed. The reason why it happens is that the app apparently installs a web server on Macs that accept even those requests which other browsers usually reject.

Moreover, even if you uninstall the Zoom app from your Macs, that web server which the app had installed stays, and can reinstall Zoom without your permission or involvement. The Verge reports that they have confirmed the claim made by Jonathan and that the vulnerability is real. It also reports that “clicking a link if you have previously installed the Zoom app (and haven’t checked a certain checkbox in settings) will auto-join you to a conference call with your camera on”.

Leitschuh further reveals that he disclosed the vulnerability to the developers of Zoom app back in March, but the company has not done anything to solve the issue. He said that he gave the company 90 days to solve the problem but they didn’t.

The existence of web server on users computers poses other serious threats as well. For instance, in older versions of Zoom, it was possible to authorize a denial of service attack on Macs by continuously pinging the web server. Leitschuh writes, “By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS”.

You can solve this issue by ensuring the Mac app is up to date and also you have to disable the setting in the app that allows Zoom to turn-on your camera when joining a meeting, as shown in the image above. Simply, uninstalling the Zoom app won’t solve this problem, as that web server persists on your Mac.

If you are facing the same issue with the Zoom app, and want to fix this issue permanently, you have to run some terminal commands which you can find through here.