Update: Zoom says it has a series of updates planned to address these security concerns.

A new zero-day vulnerability has been disclosed for the Zoom video conference app on the Mac. In a post on Medium, security researcher Jonathan Leitschuh outlined the flaw, which could let websites take over your Mac’s camera.

When you install the Zoom app on your Mac, it also installs a web server, which “accepts requests regular browsers wouldn’t,” as detailed by The Verge. It’s that web server that is seemingly causing this vulnerability.

Essentially, the Zoom web server is running as a background process. Thus, any website is able to “forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” If you simply click a link, you’ll automatically join a Zoom conference call with your camera enabled, even if you no longer have the Zoom app installed.

We tested the vulnerability using a link in Leitschuh’s Medium post and were immediately connected to a Zoom conference call with our Mac’s camera enabled. One of the most jarring aspects of this vulnerability is that it works even if you have uninstalled the Zoom app:

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

Leitschuh first disclosed the vulnerability to Zoom back in March. The timeline in the Medium post explains that the vulnerability was fixed at one point since then, but that a regression this month caused the vulnerability to work again. The regression was fixed today, but Leitschuh discovered a workaround.

Additionally, Zoom lacks “sufficient auto-update capabilities,” according to Leitschuh, which means there are still still users running older versions of the app.

So how can you protect yourself? The easiest way is to go into the Zoom settings window and enable the “Turn off my video when joining a meeting” setting. You can also run a series of Terminal commands to uninstall the web server completely, and those commands can be found at the bottom of Leitschuh’s Medium post.

More technical details, as well as proof of concept links, can be found on Medium.

FTC: We use income earning auto affiliate links. More.

Hyper Cube automatic iPhone backups

Subscribe to 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com