What you need to know
- Another security flaw has been highlighted in Zoom.
- An ex-NSA hacker says a bug can be used to take over a Zoom user's Mac.
- They can also access your webcam and Microphone.
An ex-NSA hacker has found yet another critical security flaw in Zoom, this time in two bugs for Mac.
According to TechCrunch, an ex-NSA hacker has found two bugs within the macOS version of Zoom:
Wardle's first bug piggybacks off a previous finding. Zoom uses a "shady" technique — one that's also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as "root."
Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.
This is a reference to Zoom's installation protocol, which was described as "very shady" by experts. From that report:
Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).
This is not strictly malicious but very shady and definitely leaves a bitter aftertaste. The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.
Well, turns out that it is malicious because it can be used by an attacker to inject the installer with malicious code, obtaining "the highest level of user privileges".
A second bug, (yes, there's two, plus all the other ones) involves your webcam and microphone:
The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will "automatically inherit" any or all of Zoom's access rights, he said — and that includes Zoom's access to the webcam and microphone.
In fairness, as these have all been revealed by this blog post, giving Zoom almost no time to address them. However, Zoom appears to be a total dumpster fire when it comes to privacy and security. It has also been revealed that despite claims, Zoom's calls are not end-to-end encrpyted, and that its 'company director' feature pooled thousands of strangers, leaking personal data.