Zoom’s video conferencing software has more problems than a secret web server on Mac. Even on Windows, websites you visit could start filming you without your consent. All you have to do is click a link. This problem affects Macs, too.
While previous reporting seemed to indicate that Zoom’s problems were specific to macOS, Windows is vulnerable, too. If Zoom is configured to turn on your camera by default in meetings, someone could embed a Zoom link in a web page and immediately start recording you. This would work on either Windows or Mac.
Zoom insists it “have no indication that this has ever happened”—yet. The company considers this a feature and says you’ve given permission for this if your Zoom client is configured to automatically turn on your webcam when you join a meeting.
Jonathan Leitschuh‘s proof of concept website demonstrates this. If you have Zoom software installed and go to the website, the Zoom software will launch and automatically join the meeting and start recording with your webcam. In the case of the macOS, you’d see that behavior even if you previously uninstalled Zoom, thanks to a secret web server Zoom leaves running after it’s uninstalled. But, even on Windows, Zoom will launch if you currently have it installed.
At first, Jonathan Leitschuh’s medium post seemed to suggest this issue only existed on MacOS. But he clarified otherwise in a tweet:
🚨 WINDOWS & MAC USERS 🚨
If you've ever checked this box on any browser other than Safari, you are vulnerable as well. pic.twitter.com/FbG2efEe0R
— Jonathan Leitschuh (@JLLeitschuh) July 9, 2019
We tested this by installing Zoom software and visiting his proof of concept website using Google Chrome.
On the first visit, you’ll be prompted to open the Zoom app—assuming you don’t have Zoom installed. If you check “Always open these types of links in the associated app,” you’re in trouble. That’s a box nearly anyone would check to skip extra clicking in the future.
The next time we visited the website, Zoom automatically opened, joined us to the meeting, and started our webcam. We didn’t click any prompts or give any approval. Without interaction on your part, malicious sites could easily record you as long as you have Zoom installed.
You do see the Zoom window and it’s clear you’re being recorded. However, a malicious website could capture some video of you before you stopped the video conference.
This is a huge issue. We recommend uninstalling Zoom if you don’t use it frequently. If you need it installed, you can also toggle the “Turn my video off when joining meeting” option on the “Video” tab in Zoom’s settings window to prevent this from happening.
On macOS, don’t forget to check for the web server and uninstall it too.
Unfortunately, Zoom’s official response to the situation seems to suggest the company considers this a feature and not a problem. Hopefully, it understands the full severity of the issue soon and changes course.