Apple has quietly issued an update to fix the weakness in Mac video-conferencing app Zoom that could let hackers take over the camera on your Mac.
Security researcher Jonathan Leitschuh revealed this week that Zoom makes it possible for websites to add you to a call by activating your webcam without permission.
Although Zoom has released a full fix for the problem, Apple has also issued a silent update that installs automatically, reports TechCrunch.
The worrying security flaw was not stopped by uninstalling the app either as the web server, where the vulnerability was found, was not removed during this process.
Many users may not even be aware the problem exists as they have already uninstalled the app.
Scroll down for video
Apple has issued an update that removes a hidden web server installed by a video-conferencing app that could let hackers take over the camera on your Mac (file photo)
HOW TO UNINSTALL ZOOM COMPLETELY
Zoom issued a patch on Tuesday that will fix the bug and allow users to manually uninstall Zoom.
‘We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server,’ the company said.
‘Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.”
‘By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.’
On Tuesday, Zoom said it was releasing an update that will remove the local web server to secure the system and do away with the use of the web servers moving forward. It will also make it easier for users to uninstall the program altogether.
Mr Leitschuh revealed that the vulnerability on the Zoom app comes from the feature which allows you to send anyone a meeting link and when they open that link in their browser their Zoom client open automatically on their local machine.
The researcher says he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days.
He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed.
That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t, the post said.
According to the Verge, uninstalling the Zoom app from your Mac isn’t enough to fix the problem, either.
If you uninstall Zoom, that web server persists and can reinstall Zoom without your guidance.
The publication confirmed that the vulnerability works — clicking a link if you have previously installed the Zoom app will automatically join users to a conference call with your camera on.
‘If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you without requiring any user interaction on your behalf besides visiting a webpage,’ he wrote.
‘This re-install “feature” continues to work to this day.’
The flaw is said to be partly due to a web server the Zoom app installs on Macs that ‘accepts requests regular browsers wouldn’t.’
Zoom independently confirmed the vulnerability.
The company addressed the issue on Tuesday afternoon in a statement on its website, where it explained the patch that will fix the problem.
According to Zoom, updating will ‘remove the local web server entirely.’
The researcher says he contacted Zoom on March 26, giving the company a public disclosure deadline of 90 days. He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed
It will also halt the use of a local web server on Mac devices.
‘Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client,’ Zoom says.
‘Once the update is complete, the local web server will be completely removed on that device.’
The patch will also add a button that allows users to manually uninstall Zoom.
Expert Jonathan Leitschuh said there is a ‘serious zero-day vulnerability’ for the Zoom video conferencing app on Macs. In a blog post, Mr Leitschuh discovered that Zoom achieves insecurely, allowing websites to join you to a call by activating your webcam without permission
Prior to the update, Eoin Keary, CEO and co-founder of edgescan, told MailOnline: ‘A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner.
‘This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline.
‘What’s unfortunate, invasive and a violation of trust is when the software seems “ uninstalled” but really isn’t.
‘This is a breach of transparency and exposes individuals who believe they don’t have the software installed to attacks.
‘Persisting a webserver on a user’s machine whilst giving the impression it’s uninstalled is akin to a malicious threat actor.
‘Its underhanded and breaches trust boundaries. A very poor decision by the folks at Zoom.’