A serious zero-day vulnerability has been disclosed in Zoom video conferencing app on the Mac.
Security researcher Jonathan Leitschuh, in a Medium post, detailed the flaw that could let websites hijack your Mac’s camera and “forcibly” join you to a Zoom call without your permission.
Zoom is one of the most popular cloud-based enterprise communication platforms that offers chat, video and audio conferencing, and options to host webinars and virtual meetings online. About four million of its users are on Mac.
The vulnerability takes advantage of a pretty simple feature that gives Zoom users an easy way to dial into video conference calls with the tap of a link — something like https://zoom.us/j/999999999, where ‘999999999’ is a random nine-digit meeting ID that expires once the meeting ends.
This ensures that as long as the Zoom app is running in the background if you open the meeting link on your browser, it automatically launches the Zoom client on your Mac.
Leitschuh found this functionality was not securely implemented. Not only can a user be auto-joined to a Zoom video conference call by merely clicking on the meeting link, this works even if you no longer have the Zoom app installed.
Read More
