Your Mac could be hijacked through major security flaw in Zoom conferencing app

I’m a Zoom user on MacOS, so affected by this. I join all meetings with video turned off (see settings image below), you should too…:

Your computer’s webcam has always been a gateway for potential security intrusion, which is why people like Mark Zuckerberg and ex-FBI head James Comey put tape over theirs. On Monday, security researcher Jonathan Leitschuh gave Mac users another reason to fret over their webcams — there’s a security flaw in the Zoom video-conferencing app.

Zoom is most notable for its click-to-join feature, where clicking on a browser link takes you directly to a video meeting in Zoom’s app. But Leitschuh in a Medium postexplained that he months ago discovered Zoom achieves this in insecure ways, allowing websites to join you to a call as well as activating your webcam without your permission.

He adds that this would allow any webpage to denial-of-service a Mac by repeatedly joining you to an invalid call. Uninstalling the Zoom app from your Mac isn’t enough to fix the problem, either. Zoom achieves its click-to-join function by installing a web server on your computer — which can reinstall Zoom without your permission.

“If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you,” Leitschuh writes, “without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”

1-mrgy9jojkkjsrp-xjsyomw
Here’s the first setting you should change in Zoom.

Jonathan Leitschuh/Medium

If you have the Zoom app installed on your Mac, Leitschuh lists directions to neutralize the local server in his Medium post. You should also activate the Turn off my video setting when joining a meeting, as seen above.

[…]

Read the original article here