Zoom is a popular videoconferencing system, used apparently by about 750,000 companies and several million individuals around the world. Jonathan Leitschuh at Gradle has just revealed two vulnerabilities in Zoom’s software which could allow a malicious website to turn your Mac’s camera on without your permission. If you’ve ever installed the Zoom videoconferencing client on your Mac, you should check now whether it is still present – even if you think you have removed it.

Zoom has apparently fixed one of the vulnerabilities, which allowed a denial of service attack, in its client version 4.4.2. However, remote control of the camera remains unfixed at present.

Zoom was informed of these vulnerabilities on 26 March 2019. It claimed to have fixed them on 21 June, but that fix doesn’t prevent a malicious website from turning your Mac’s camera on. Furthermore, installing Zoom client software leaves a web server running on your Mac, on port 19421. Jonathan recommends all Mac users should check whether this is active by typing
lsof -i :19421
into Terminal. If that reveals the presence of the web server, then your Mac may be vulnerable, and you should read Jonathan’s article carefully to see how to address this. If that command returns nothing, your Mac is still safe in this respect.

Another tell-tale sign is the presence of a hidden folder at ~/.zoomus on your Mac. If that is present, it means the Zoom client’s hidden web server is still resident there. One good solution is to remove that folder completely and replace it with a file so that it can’t be reinstalled. Credit Slack MacAdmins #Security Channel for the following Terminal commands:
rm -rf ~/.zoomus
touch ~/.zoomus

All this apparently happens despite the privacy controls over access to the camera which were introduced in macOS Mojave. Apple may also have some explaining to do.

Zoom’s response is on its blog. Despite defending its previous decisions, it states that it is going to change the behaviour of its software. If you use Zoom, you should read that response carefully before making any decisions.

Update: overnight 9-10 July, Zoom has updated its software, apparently addressing these issues. We now await its assessment by security researchers, but there’s no sign of the hidden web server or its hidden folder.

Thanks to Patrick Wardle and Objective-See for drawing attention to this. Objective-See’s OverSight software detects all attempts to access your Mac’s camera. Thanks to Al Varnell for commenting below to provide further information, including the Terminal commands given above, quoted in turn from Slack MacAdmins #Security Channel. Thanks also to Rodney Peel in his comment below for bringing news of Zoom’s new software which appears to address these issues in full.

(Updated 0830 UTC 10 July 2019.)