Apple is silently removing Zoom's web server software from Macs

Security Vulnerability in Video Conferencing App Zoom Allows Websites to Hack Into your Mac’s Camera

Security Vulnerability in Video Conferencing App Zoom Allows Websites to Hack Into your Mac’s Camera

"The little adhesive camera covers available by the dozens at every computer conference or for a couple dollars on Amazon are a much better solution that relying on software to do the right thing", said Bailey.

Millions of Apple Macs are vulnerable to a video conferencing software bug which allows hackers to spy on users through their computers' cameras, according to a BBC report.

But security researcher Jonathan Leitschuh recently stumbled upon something extremely concerning.

Zoom did this so users would not have to click another dialog in order to join a meeting, a convenience versus security trade off that now haunts it.

On the one hand, this simple access to video meetings is an excellent feature for Zoom users who don't want to deal with complexity before their voice calls.

That's possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn't, the post said. This is where the vulnerability lies.

"Since the Zoom customer UI keeps running in the forefront upon dispatch, it would be promptly obvious to the client that they had unexpectedly joined a gathering and they could change their video settings or leave quickly", composed Farley.

Webcams have been a potential privacy vulnerability if hacked by outside actors for a while now.

The same problem isn't apparent on Windows computers, because they handle Zoom meetings differently - without the server installation.

If a user has ever installed the Zoom client and then uninstalled it, the Mac still has a localhost web server that will re-install the Zoom client, without requiring any user interaction besides visiting a webpage. It will address the issue of video being on by default.

"It took Zoom 10 days to confirm the vulnerability", wrote Leitschuh.

But in a post on Tuesday the company conceded and said it has launched a patch removing the web servers from Mac machines. However, Leitschuh believes that this action might be too little, too late.

Leitschuh says he unveiled the weakness in March, however Zoom did not finish a fix until June.

The patch will also add a button that allows users to manually uninstall Zoom.

A Zoom spokesperson told Forbes, however, that it had begun analyzing the problem within 10 minutes of learning about it, and that the ability to have one-click access to join videoconferencing calls was meant to address poor user experiences for those running Apple's Safari 12 web browser.