Hi folks, you may have seen mentions on twitter of this Zoom vulnerability: https://email@example.com/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Here are the problems in brief:
"This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a
localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day."
What does this mean for you if you use MacOS? It means you should make sure your Zoom software is up to date with the latest version (but that only fixes the second problem – the webcam problem remains).
This is an issue with the Zoom client itself, so just by using the client you’re vulnerable to having your webcam accessed without your consent. The other issue is that Zoom has had 90+ days to fix this and hasn’t, and that itself is a big red flag.
So what do we do besides cover Mac users cameras? We can explore other options for video conferencing software, but the main issue there is that I haven’t seen other software that has recording capabilities, and that’s pretty huge for us. It’s likely that they’ll fix this issue fairly soon given the attention around it, but that doesn’t help us right now.
What do other people think?