Videoconferencing firm Zoom Video Communications Inc. today issued a fix for a vulnerability that could have allowed a hacker to hijack a webcam on a Mac computer via a malicious website.

Detailed by security researcher Jonathan Leitschuh, the vulnerability exploits a feature in the Mac Zoom client that allows users to join a videoconference by clicking on a received link. Using that feature, a malicious website can be crafted to join a Zoom call forcibly, with the video camera activated without the permission of a user.

The vulnerability exploits the way Zoom sets up the ability to accept a call. The Zoom client establishes a local web host to facilitate the ability to accept calls but in doing so leaves that open. An attacker can then exploit the open local web host via a malicious site to join a user to a meeting.

“All a website would need to do is embed [the code] in their website and any Zoom user will be instantly connected with their video running,” Leitschuh said. “This could be embedded in malicious ads, or it could be used as a part of a phishing campaign.”

Worse still, the local web host remained even if a user is no longer using Zoom, since the host is not removed along with the Zoom installation.

Zoom has addressed the issue in an update released today. The update removes the local web server entirely on Macs as well as allows users to uninstall Zoom manually.

David Wells, senior research engineer at web application scanning firm Tenable Inc., told SiliconANGLE that the Zoom vulnerability is “eye-opening.”

“Most users think their risk of exploitation or compromise ends as soon as they shut down an application or turn off a device,” he said. “But in this case, an attacker can spy on victims directly through their web cameras, even when they aren’t actively using Zoom.”

Craig Malloy, chief executive of Lifesize Inc., notably a competitor to Zoom, didn’t hold back, saying that security is too often an afterthought in video communication.

“While the user experience is undeniably important, it means absolutely nothing if customers can’t trust that their critical business communications and sensitive data are protected in the most responsible, secure ways possible,” Malloy said. “The Zoom exploit method reported yesterday further reinforces the company’s practice of sacrificing security for convenience, made worse by the fact that it still does not encrypt video calls by default for the vast majority of its customers.”

Lamar Bailey, senior director of security research at cybersecurity firm Tripwire Inc., took an old-school approach, saying that the case is a good example of why physical security shouldn’t be overlooked.

“The little adhesive camera covers available by the dozens at every computer conference or for a couple of dollars on Amazon are a much better solution than relying on software to do the right thing,” Bailey said. “We install so many apps these days it is hard to keep up with the permissions they require and what they turn on by default on upgrades and reinstalls. A physical barrier is far superior.”

Image: Zoom