Zoom flaw could enable hackers to activate Mac webcams without permission

The security issues speak to the risk associated with default settings on popular applications that a user might overlook.
Throw some tape over your webcams. (Flickr <a href="">Rickey Romero</a>)

A vulnerability in the Mac version of Zoom, the popular video conferencing application, could allow a hacker to turn on a user’s video camera without their authorization or disrupt their computer via a denial-of-service attack, according to research published Monday.

The vulnerability, found by security researcher Jonathan Leitschuh, exists in a Zoom feature that lets a user send a meeting invite via a web link. By clicking the link, a user is launched into a video call. But a phishing campaign or a website laced with malicious advertisements could take advantage of those links, Leitschuh said.

Leitschuh, a software engineer at the engineering organization Gradle, published his findings Monday on the blogging platform Medium after Zoom failed to fix the problem within 90 days.

“An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack,” he wrote.


Asked how many Zoom Mac users there were, a company spokesperson said Zoom doesn’t disclose such figures, but said the vulnerability affects a significant portion of its customer base.

Zoom, which claimed 40 million users as of 2015, has patched the denial-of-service (DOS) vulnerability. It plans to update the application Friday to make it easier for users to keep their web cameras off by default. There haven’t been any reported cases of the vulnerability being abused, the San Jose, California-based company said.

Zoom chief information security officer Richard Farley said it would be “readily apparent” to users if they had unintentionally joined a meeting, and that they could immediately leave the meeting or change their video settings.

“Our determination was that both the DOS issue and meeting join with camera on concern were both low risk because, in the case of DOS, no user information was at risk, and in the case of meeting join, users have the ability to choose their camera settings,” Farley wrote in a blog post.

The company required Leitschuh to sign a non-disclosure agreement (NDA) before receiving a bounty for the vulnerability. Leitschuh declined, saying he wanted to make the vulnerability public to protect users. While Zoom asserted that the NDA was standard practice, some cybersecurity experts criticized the tactic.


The security issues discovered by Leitschuh highlight the risk associated with default settings on popular applications that a user might overlook. Even if you’ve uninstalled the Zoom Mac application, a “local-host” web server will remain on your computer and reinstall the application, according to Leitschuh.

Following criticism of that feature, Zoom announced a patch for it on Tuesday.

UPDATE, 6:02 pm, E.D.TThis story has been updated with Zoom’s announcement that it would patch the web-server feature. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts