Video calls are a standard feature in nearly every modern gadget. It’s one reason the computer or mobile device you’re using probably has a camera built right into it. Truth be told, video calls are so essential to work and leisure today that it would be difficult to imagine our digital lives without them.
The fact that webcams are so commonplace, however, is what makes them such an attractive target to hackers and scammers. Being able to hijack a video camera is the ultimate privacy violation — and a threat that security experts are constantly working to prevent. If any piece of software leaves room for a webcam exploit, it’s a top priority that researchers and developers identify the threat, expose it publicly, and patch it before the issue has a chance to spread.
And sure enough, the appearance of a webcam-based security hole in one of the most popular teleconferencing apps has researchers scrambling. Hackers could take advantage of a flaw in your webcam’s settings to not only hijack your camera but potentially your entire computer! If you use teleconferencing on your computer, you won’t want to miss this fix to protect your system.
Dangerous exploit discovered in the Zoom app for Mac
Zoom is an incredibly popular teleconferencing app for Mac systems that boasts an install base of millions of active users. Nearly every day, the program is used by businesses and individuals for meetings, productivity, and collaboration. However, security researchers have identified a critical security flaw in the way the app handles chat invites.
The exploit was discovered by researcher Jonathan Leitschuh, who outlined the nature of the threat in his post on Medium. According to him, the flaw is possible due to an update placed by Zoom itself that was intended to make call invites a more seamless and “one click” experience. This line of thinking was confirmed by Zoom in an interview with ZDNet.
Related: Kim’s Take: a frightening hack of a home security system
Unknown to developers, however, the feature allows a web browser like Safari to activate the app on a user’s machine without sufficient safeguards — running potentially dangerous activity on the user’s local computer instead of the cloud or the company’s servers.
If a hacker were to create a fake website that took advantage of this hole in the app’s code, it could remotely activate a computer’s webcam with just the click of a mouse, or even remotely install programs without the user’s consent.
How can I protect myself from the Zoom security flaw?
Thankfully, since the issue was revealed in a “zero-day” fashion, researchers and consumers are aware of the flaw. This means that hackers are slightly less likely to use the exploit since the process isn’t unknown anymore. Aside from that, though, there is a way that Zoom users can protect their Macs right now without needing to wait for a patch or update.
Leitschuh recommends a single setting be changed in Zoom’s menu that prevents the camera from automatically activating when joining a meeting. This feature is the backdoor that can potentially allow a bad actor to access your system, so disabling the feature, for now, will close that opening.
Plus, if you need to use your camera during a meeting, all you need to do is turn it on once the meeting begins. You won’t lose any performance or features using this fix — just a slightly different order of operations when making or receiving video calls.
To turn the camera off when joining a meeting, simply open Zoom and open Settings. In here, select Video and check the box next to Turn off my video when joining a meeting. That’s it!
Zoom has recently released updates that addressed an earlier threat related to denial of service attacks, but it can be expected that further updates will either patch or address the issue. The above fix, however, will keep your system in good shape while Zoom takes care of things on its end.
For the best possible results, just keep the camera off by default like Leitschuh suggests and keep Zoom updated to the latest version whenever possible.
As hackers continue to change their tactics, updates from developers will become more and more important. After all, having the most up to date defenses is the best offense in the war against hackers and malware.
Update: Zoom has responded to Leitschuh’s Medium post with a blog post of their own that disputes the researcher’s findings. However, they have announced that future versions of Zoom will be preserving any changes that users make to their camera settings by default — including the above method outlined by Leitschuh. Click or tap here to read Zoom’s post.