Zoom, a popular video conferencing app, has been found with a zero-day flaw that is affecting its Mac clients and has yet to be patched according to researcher Jonathan Leitschuh . The flaw allows an attacker to activate a client’s webcam without their permission by tricking them into clicking a fake zoom invite URL. The fake invite URL can be embedded in malicious advertisements or sent via phishing emails. With this service being used by around 750,000 companies worldwide, the potential damage is massive. The vulnerability remains on the affected computer even after Zoom has been removed from the system. Once Zoom is downloaded, it also installs a web server on the client’s Mac. This web server does not get deleted when the client deletes the Zoom app and once a Zoom link is clicked, even after the app is deleted, the webserver redownloads the Zoom app without notifying the client. The second vulnerability found is a Denial-of-Service (DOS) attack vulnerability. The DOS vulnerability is carried out via the attacker creating repeated invalid calls that would deny user access to the victim’s system. Zoom was contacted by researchers about the flaws but has only provided a very minor fix that doesn’t address the major issues. However, Zoom did fix the DOS vulnerability in version 4.4.2 of the Zoom application. Zoom released a statement that they are diligently working on the issues and will be releasing a security patch this month.
If a user has Zoom on their individual system the DOS was fixed with version 4.4.2, but older versions should be upgraded immediately. Temporarily, the user can also close the webcam feature by going into the settings and pressing “turn off video when joining a meeting,” which would have to be turned back on when joining a legitimate meeting. Lastly, users who have had Zoom on their systems and removed it can see that the flaw is still on the affected system by opening running the terminal command “Isof -I :19421″. That is the port number that Zoom uses and will confirm if the client has the web server active on their device.