New Zoom flaws to take over Macs, including webcam, mic, and root access

Now that many people are working from home due to the COVID-19 coronavirus pandemic, teleconferencing service Zoom’s popularity has skyrocketed, but also has led to Zoom flaws being revealed with an increased focus on the company’s security practices and privacy promises.

Zack Whittaker for TechCrunch:

Zoom flawsHot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

MacDailyNews Take: The requirement for physical control limits access, of course, but Zoom has other flaws, too (See: Caution: Zoom video calls are not end-to-end encrypted ). If you can steer clear of Zoom, you probably should.

[Thanks to MacDailyNews Readers “Fred Mertz” and “Dogadoga” for the heads up.]


      1. FaceTime, if all participants are on Apple platforms.
        Google Hangouts Meet, if you don’t mind sharing your chats with Google’s advertisers.
        Google Duo, the free consumer version of Hangouts Meet.
        Microsoft Teams, if you have no taste.
        Skype, also a Microsoft thing, but at least it uses UDP tunneling for security.
        Zoom, if you don’t care about security.
        Cisco Webex, TeamViewer, GoToMeeting, or Jitsi, if you have a mullet and a neck beard.

  1. As a remote worker for more than 10 years I have always been amazed how bad the applications in this space are. I have used them all and each has its issue. The surprising thing is that the more expensive the service the worse it works. WebEx is complete crap and user hostile while being expensive. My preferred is BUT they are hell to deal with on billing issues but it works the best of all I’ve used.

  2. I understand that Zoom is not ideal from a security standpoint, and that pointing that out is a responsible thing to do.

    Still, I have yet to see anybody suggesting a more secure alternative that offers comparable functionality for teaching classes and hosting webinars for 10-100 attendees.

    1. Yes, I am required to use Zoom for at-home work, am on a Mac, but the vast majority of people I might be on with are on Windows, a school district with 16,000 students, 9000 school system computers.

      Some of the students are proven hackers, ( I have copies of the files for the ones I deal with) but under Federal guidelines on discipline, almost everything they do that can cause their discipline matrix score to rise ,enough to boot them out of school almost never can happen, including felony aggravated assault, (you would would need more than one, or another charge of a similar level)

      So hacking? we might as well just not waste our time doing more than documentation in case common sense returns some day. The trend in the discipline regulations took a huge upswing 10 years ago. still continues………”inclusion”.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.