A major vulnerability in a video conferencing app for Apple Mac computers has been discovered by a security researcher, which if exploited could allow hackers to spy on people through their webcams.
Software engineer Jonathan Leitschuh uncovered the bug within the Zoom app, and warned users that simply uninstalling the app would not fix the issue.
In a Medium post detailing the security flaw, Mr Leitschuh estimated that more than 4 million webcams were at risk, together with 750,000 companies around the world.
“This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission,” he wrote.
“Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a local host web server on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”
The vulnerability works by exploiting a feature in Zoom that allows people to send a meeting link for a video conference call.
This link essentially allows the site to forcibly initiate a video call through the Zoom app, without the person on the other end having to accept.
The vulnerability was originally reported to Zoom in March, Mr Leitschuh wrote, though only implemented a flawed “quick fix” solution that did not fully address the issue.
“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” he wrote.
“An organisation of this profile and with such a large user base should have been more proactive in protecting their users from attack.”
Zoom did not respond to a request for comment from The Independent.
In a statement provided to ZDNet, Zoom said that the use of a local web server on Macs was a “workaround” to changes introduced in the Safari 12 web browser.
The firm called it a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.
While uninstalling the app would not prevent the vulnerability from being exploited, Mr Leitschuh noted that users could protect themselves by disabling the ability for Zoom to turn on the webcam when joining a meeting.