[ad_1]
Be careful around the video conferencing app Zoom; a feature in the product’s Mac client can theoretically let a stranger spy on you via the web camera.
For Zoom users to invite people to a video-conferencing meeting on the app, they need only share a web link. If clicked on, the link will automatically start up the Zoom app—assuming the user has it installed—and begin recording through the Mac’s web camera.
The same feature can be exploited to spy on Zoom users, according to security researcher Jonathan Leitschuh, who started investigating the app earlier this year.
According to Leitschuh, a hacker could create a meeting and embed a link to it in a website. If a Mac owner then visited that site, the Zoom app would automatically launch and begin recording from the web camera.
“The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business,” he said in a blog post on Monday. “This could be embedded in malicious ads, or it could be used as a part of a phishing campaign.”
To demonstrate the threat, Leitschuh created proof-of-concepts showing how the attack can work. (Be warned: clicking on the links will jumpstart the Zoom app on a Mac, and pull you into a video meeting populated by strangers.) The attack can also work on Windows-based computers if you’ve allowed your internet browser to automatically run Zoom meetings.
?? WINDOWS & MAC USERS ??
If you’ve ever checked this box on any browser other than Safari, you are vulnerable as well. pic.twitter.com/FbG2efEe0R— Jonathan Leitschuh (@JLLeitschuh) July 9, 2019
In response, Zoom rolled out a patch designed to prevent a meeting creator from enabling participants’ web cameras by default. However, Leitschuh claims the patched version can still let a hacker activate webcams.
Despite Leitschuh’s warnings, Zoom is downplaying the security concerns. The company notes the application will pop up over a desktop in the foreground when activated.
“It would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately,” Zoom said in a blog post. “Also of note, we have no indication that this has ever happened.”
The reasoning is also why Zoom doesn’t consider the problem to be a vulnerability. The app was designed to let users seamlessly join video conference meetings with one click. “Our customers have told us that they choose Zoom for our frictionless video communications experience,” the company added.
To prevent the snooping, Zoom users can go into the app’s preferences, then go to the “video” section, and select “Turn off my video web joining a meeting.” You can also protect yourself by covering up your web camera when it’s not in use.
Another option is to uninstall the Zoom app. But Leitschuh discovered even when you remove the program from a Mac, it can automatically reinstall itself if the user ever clicks on a link to a Zoom meeting invite. To prevent this, Leitschuh’s blog post includes steps that can help a user fully remove Zoom and future reinstalls from a Mac.
UPDATE: Zoom has decided to do more to address the concerns raised by Leitschuh. First, the company plans on removing the app’s ability to automatically reinstall itself on a Mac.
“Additionally, we have a planned release this weekend (July 12) that will address another security concern: video on by default,” the company said. “With this release: 1. First-time users who select the ‘Always turn off my video’ box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings.”
“2. Returning users can update their…
Source link
No Comment