Websites can turn Mac's camera on without permission: Here's how
What's the story
A major zero-day vulnerability that lets websites hijack and activate webcams without permission has been flagged for Mac users.
The issue stems from Zoom, a popular video calling app that lets you join video chat rooms by clicking on a single link.
The capability is handy, but as it turns out, it also lets websites start video calls without consent.
Here are the details.
Bug
Zoom lets websites open video calls
Security researcher Jonathan Leitschuh recently disclosed the vulnerability in Zoom.
He said the app installs a web server on Macs, which accepts requests from rigged websites, thereby allowing them to open up video calls with random strangers with the camera on.
This means a single click and the video call will start automatically, without seeking any permission or camera access request.
Twitter Post
Here's how the call connected automatically
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
Issue
This bug can critically breach your privacy
Leitschuh discovered the Zoom vulnerability back in March and informed the company about it.
However, even after 90 days of discovery, the issue remains unresolved, meaning anyone can use it to open video calls without permission and breach your privacy.
Even uninstalling Zoom won't work because the local web server would remain behind and attempt installing the app once again.
Solution
How can you avoid this issue
Now, in order to avoid the issue, it is recommended to activate the 'Turn off my video when joining a meeting' option in app settings.
Also, use the steps and terminal commands given by the security researcher to disable the local web server installed on your Mac.
Once that is done, the issue cannot be exploited to hack your Mac's webcam.
Zoom's statement
Zoom defended its web server move
Speaking to The Verge, Zoom confirmed that the local web server strategy was adopted to ensure a seamless, one-click video calling experience after Apple introduced an additional app-launch prompt in Safari 12.
The company promised to tweak the app in July and save user and administrators' preferences for opening video when a call starts in the first place.