[Image: Trend Micro]
A huge flaw in video conferencing software Zoom that bypassed Apple security features has left Mac users vulnerable to being spied on.
Security researcher Jonathan Leitschuh exposed the flaw in the teleconferencing software used by over 750,000 businesses.
The vulnerability allows a malicious website to force users to join a Zoom call with their webcam activated without their permission.
The flaw even impacted on users who had previously installed and then uninstalled the Zoom client, as it left code on the device capable of reinstalling the Zoom client without requiring any user interaction.
[Image: Trend Micro]
“You can just send anyone a meeting link and when they open that link in their browser their Zoom client is magically opened on their local machine,” he wrote on a Medium post.
“I was curious about how this amazing bit of functionality was implemented and how it had been implemented securely.
“Come to find out, it really hadn’t been.”
Mr Leitschuh said it took Zoom 10 days to confirm the vulnerability after he told the company about it on March 26 of this year, and that he had told them a quick fix for the problem.
A meeting about how to patch the problem properly didn’t occur until June 11, during which Mr Leitschuh said he “was very easily able to spot and describe bypasses in their planned fix”.
On June 24, 90 days and on the public disclosure deadline, Mr Leitschuh learned Zoom had only implemented the quick fix he originally gave them three months earlier.
Zoom said it will be implementing a patch to remove the local web server from Macs, and add an option to “manually and completely” uninstall the Zoom client.
