Newly Discovered Security Flaw in Zoom Allows Hackers to Take Complete Control of Mac

BY Mahit Huilgol

Published 1 Apr 2020

Zoom video call logo

Zoom video call service has hit the headlines several times for its security exploits. Last year a webcam security flaw in Zoom allowed websites to access any ongoing Zoom call. Now two new Zoom bugs that allow hackers to take control of the Mac have been discovered.

Trouble for the company seems to be far from over as an Ex-NSA hacker, Patrick Wardle has discovered that the video call service lets hackers take control of Macs. The level of access includes a webcam, microphone and in some cases even complete root access.

Wardle has unearthed two new bugs in Zoom. Both the bugs can be deployed by a local attacker considering they have physical control of the computer. After a successful exploit, the attacker will be able to gain access to the victim’s computer and install malware. The worst part is that exploit allows the attacker to maintain continuous access.

Wardle walks us through Zoom’s privacy issues like the recent webcam hacking, no end-to-end encryption contrary to claim and recently the iOS app was sending user data to Facebook. He also warns that even local attackers with low-level access can install malicious code and upgrade their access to the root level. Root Level access is the highest access one can get. The root-level privilege will allow attackers to access the macOS operating system and thus eventually install malware or spyware. Meanwhile, the user will not see any signs of the intrusion.

The second bug once again exposes how Zoom handles webcam and mic access on the Macs. All the apps on Mac require users to explicitly give permission in order to access webcam/microphone. However, Wardle claims that attackers can inject malicious code into Zoom and spoof it into giving the same level of access which the Zoom already has. In other words, once Zoom is spoofed into loading the malicious code it will “automatically inherit” some or all of the Zoom’s access rights.

Wardle adds that “No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video.” Due to the ongoing COVID-19 outbreak, a majority of the workforce is using Zoom for collaborating with their colleagues. We hope that Zoom takes note of the exploit and fix it as soon as possible.

[via TechCrunch]