Popular application quietly activates Mac camera (updated)
Security researcher Jonathan Leitshu found a zero-day vulnerability in the Zoom video calling application on Mac computers. Malicious sites add users to macOS video conferencing without their knowledge.
This became possible due to the installation of local Zoom servers in macOS. They continue to work even after uninstalling the application and can reinstall it without the user's permission.
Zoom developers explained that a local server is needed to store information about settings. Updates to the Safari browser caused each time Zoom was launched, users had to re-configure the application. Chromium and Mozilla also discovered a vulnerability, but did not find a way to close it.
Representatives of the company have promised to release an update with the correction of an error this month.
In older versions of Zoom, Leitshu discovered a vulnerability to DDoS attacks.
UPD: Zoom released an update that removes local servers from users' computers that cause the vulnerability. The new version of the client for macOS program no longer uses the web server. The update can already be downloaded from the official website or through the installed Zoom client.
Editorial actualapple.com leads the channel in “Yandex. Dzen.” Subscribe!