This Shocking Bug Can Turn On Your MacBook Webcam in Secret

Millions of users of the video calling software Zoom have been warned about a security flaw that, if exploited, can secretly turn on MacBook webcams.

A researcher called Jonathan Leitschuh disclosed the issues in a blog post this week, claiming that the Zoom bug allows malicious websites to enable cameras without user permission by taking advantage of a feature this is designed to let users quickly join video calls.

The issue—which only impacts Apple users—exists because Zoom installs a web server on Macs when it is first installed. According to the company, it is intended for convenience: to circumvent an update to Safari that asks users to accept launching the client before every call.

Leitschuh has warned it's a bug that puts every Zoom user on a Mac at risk.

"This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission," the expert stated, summing up his findings.

Any Mac user who has ever installed Zoom has this web server on their computer, and this can be exploited by malicious websites—even if the app is later uninstalled, Leitschuh found.

The researcher created a proof of concept that exploited communication with the web server. All an attacker would need to do would embed a line of malicious code into a website and send it to the victim. "Any Zoom user will be instantly connected with their video running," he wrote.

Essentially, if the user failed to configure their Zoom application to disable video when first joining meetings, an attacker could potentially view the user's video feed.

For now, there is one quick fix. Concerned users can disable the ability for Zoom to switch on webcams in the video software settings. In its default state, the host on the video call is able to choose whether or not a recipient's camera is turned on at the start of the conference.

The vulnerability was first disclosed to Zoom on March 26 and only disclosed after the firm failed to fix the bug within 90 days, Leitschuh alleged. There are an estimated four million Zoom users on Apple Macs. They are still vulnerable to an invasion of privacy, the researcher claimed.

Responding to Leitschuh's findings, Zoom said in a statement the issue was deemed to be low risk because users have the ability to alter their camera settings from the default options.

The company said: "Zoom installs a local web server on Mac devices running the Zoom client. This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting."

"We feel that this is a legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator," it added.

In a future update, which is reportedly scheduled for release later this month, Zoom said it will now save a user's preference from their first conference to all future meetings. The firm said it will launch a new bug bounty program for experts to report bugs in the coming weeks. In a separate statement, Zoom said it had "no indication" the bug had been abused by hackers.

On Twitter, alarmed cybersecurity experts were quick to test, and confirm, the scope of the Zoom flaws. Several researchers also shared links so anyone could verify the issues.

"This Zoom vulnerability is bananas," commented programmer and tech blogger Matt Haughey, alongside an image of the video call. "I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time."

Referencing the software issues, web developer Zach Leatherman wrote: "Important housekeeping: remove the [Zoom] client from your system until they remove their unethical backdoor."

Comments are closed.