Videoconferencing tool Zoom has two software bugs for Mac users that can be exploited to allow hackers to tap into a user’s operating system and webcam and microphone, according to Patrick Wardle, a former NSA hacker. News of the bug comes as Zoom’s popularity has increased with advisors and clients turning to remote working setups, even as Zoom has been criticized for widespread Zoom-Bombing interruptions, sloppy coding and sued for sending data to Facebook, the result of a privacy flaw from an apparently unaudited piece of code. Zoom is currently under scrutiny from the New York attorney general’s office for its security measures and a Vice report noted the tool had been linked to leaked personal information of “thousands of users."
The latest software vulnerabilities permit a “local attacker,” someone with physical control of a vulnerable computer, to “gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware,” reported TechCrunch. The attack works something like this: a local attacker tinkers with the Zoom installer, adding malicious code that gives the attacker user privileges to access the underlying macOS operating system. With that access, it’s easier for an attacker to add malware or spyware without the victim’s knowledge.
“Exploitation of these types of bugs is trivial and reliable,” Wardle noted on his blog.
The second bug Wardle uncovered, essentially a means for a hacker to “spy on users,” allows “malicious code a way to either record Zoom meetings, or worse, access the mic and camera at arbitrary times (without the user access prompt).” It works by hijacking the microphone and webcam permissions a user gives to Zoom for its own purposes.
Those vulnerabilities are bad news for Zoom users, especially for anyone relying on the tool for sensitive financial discussions. Tools do exist to help detect attacks, noted Wardle, but for now it might be best to rely on another method of communication. “Honestly, if you care about your security and/or privacy perhaps stop using Zoom,” he concluded.