The deadly pandemic coronavirus has forced the whole world to go under lockdown, leading to all work matters to be dealt from home. With that in mind, meeting and conferences for important group discussions are held via various video chatting apps.
One such app, Zoom, rose to popularity amid such crisis for its ‘easy to use’ feature which also supports up to 100 people at one time for 40 minutes.
But it appears that security issues are emerging in the past few days as the number of people using this app increases during the work from home spell.
According to TechCrunch, tech pundits have pointed out two issues with the Zoom app which can allow the hackers to take control of a user’s Mac webcam and microphone.
Patrick Wardle, a security researcher has identified two bugs which can be exploited by a hacker to gain physical control of your Mac and plant spyware or malware on the system.
One of the two bugs was identified by a Twitter user, who is a technical lead at a U.S threat detection firm called VM Ray.
He took to Twitter and said: “Ever wondered how the @zoom_us macOS installer does its job without you ever clicking install? Turns out they (ab)use pre-installation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).”
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020
Explaining the bug, Wardle says a local attacker (someone who has an account on the system already) can inject the Zoom installer with malicious code to access Mac OS without your knowledge and plant spyware or malware without any detection.
Another bug identified by Wardle is the Mac’s webcam and microphone usage via the Zoom app.
He points out how Zoom seeks consent to use the webcam and microphone via which an attacker can inject malware into Zoom and force them to provide access.
“Zoom’s security and privacy track record is rather poor–and these bugs are trivial to exploit,” says Wardle.
“Really, they are low hanging fruit, meaning that security and secure design was not a consideration when creating this product.”
However, a Zoom spokesperson has said that the bugs are being looked into.
“We are actively investigating and working to address these issues. We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue,” the statement read.
