Zoom, a video conferencing platform, has recently been found to have a vulnerability in their Mac client that has the potential to allow an attacker to turn on your webcam if you simply visit a malicious website or perform a DoS against a target host. This vulnerability stems from a decision by the developers to run a web server on port 19421 of the host to get around cross-origin resource sharing.

The server is set to always run and a simple HTTP GET request could trigger the webcam to turn on. This opens the target to two main attacks. The first is information disclosure in the form of potentially viewing the target's webcam, the second is a Denial-of-Service where the attacker can repeatedly send invalid call join requests and thus grabbing focus of their UI.

Another troubling aspect is that this same method also is used to reinstall Zoom if the user uninstalls the software. Unless the local Zoom web server is killed along with uninstallation, it will reinstall Zoom without notifying the user.

What Now? 

Zoom has issued a patch that stops the client from automatically enabling the webcam upon joining a call, but the vulnerabilities are still in place to use this local web server to connect to calls and perform the DoS attack.

Users are recommended to uncheck the setting to turn off video when joining a meeting inside Zoom. If you want to remove the application completely, users need to find and kill the process ID, which can be done via command 'lsof -i :19421', then remove the ~/.zoomus directory and create a new directory in order to prevent reinstallation.

Ready to get started?

Contact us to discuss your security needs.

Let's Talk