Video conferencing software Zoom was revealed to have a severe security flaw early in the month that Apple have now stepped in to patch.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (at OSCON) (@mathowie) July 9, 2019
The vulnerability, which affects all of Zoom’s rebranded versions such as RingCentral & Zhumu, installs a web server on your Mac to get around new security controls in Safari. The heightened Safari security measures require users to authenticate access to their webcam with each use, something that Zoom thought would infuriate users to do. Instead the company bundled their own web server software that directly accessed the camera after being authenticated and was then readily available, even when not on a call.
Apple have since released a “silent” patch for macOS that removes the bundled web server. A newer version of this patch was released today that further tackles the issue on a deeper level, and for all affiliated brands.
If you’re a regular user of any of these online conferencing tools it’s recommended to update your app to the latest version as well as disable your camera from automatically being available when you join a meeting.