Zoom App Can Let Hackers Spy on Mac Users Via Webcams

Zoom App Can Let Hackers Spy on Mac Users Via Webcams

The Zoom app is designed to seamlessly let businesses hold video conference meetings by clicking on a web link. But the same feature can also be abused by hackers to spy on Mac users via the webcam, a security researcher says.

I’ve been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.

Zoom Application

UPDATE 7/11: Apple has released its own update that removes the hidden web server that remained on a person’s Mac even after Zoom was uninstalled. Users do not have to do anything to get the patch; as TechCrunch reports (Opens in a new window) , the update will install silently.

UPDATE: Zoom has decided to do more to address the concerns raised by Leitschuh. First, the company plans to remove the app’s ability to automatically reinstall itself on a Mac.

"Additionally, we have a planned release this weekend (July 12) that will address another security concern: video on by default," the company said. "With this release: 1. First-time users who select the ‘Always turn off my video’ box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings.

" 2. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings," the company added.

Zoom made the change after the company’s CEO spoke (Opens in a new window) with Leitschuh over a call. You can find more details about the mitigations in the company’s updated blog post (Opens in a new window) .

Original Story:
Be careful around the video conferencing app Zoom; a feature in the product’s Mac client can theoretically let a stranger spy on you via the web camera.

For Zoom users to invite people to a video-conferencing meeting on the app, they need only share a web link. If clicked on, the link will automatically start up the Zoom app—assuming the user has it installed—and begin recording through the Mac’s web camera.

The same feature can be exploited to spy on Zoom users, according to security researcher Jonathan Leitschuh, who started investigating the app earlier this year.

According to Leitschuh, a hacker could create a meeting and embed a link to it in a website. If a Mac owner then visited that site, the Zoom app would automatically launch and begin recording from the web camera.

"The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business," he said in a blog post (Opens in a new window) on Monday. " This could be embedded in malicious ads, or it could be used as a part of a phishing campaign."

To demonstrate the threat, Leitschuh created proof-of-concepts showing how the attack can work. (Be warned: clicking on the links will jumpstart the Zoom app on a Mac, and pull you into a video meeting populated by strangers.) The attack can also work on Windows-based computers if you’ve allowed your internet browser to automatically run Zoom meetings.

In response, Zoom rolled out a patch designed to prevent a meeting creator from enabling participants’ web cameras by default. However, Leitschuh claims the patched version can still let a hacker activate webcams.

Despite Leitschuh’s warnings, Zoom is downplaying the security concerns. The company notes the application will pop up over a desktop in the foreground when activated.

Students Conspire in Chats to ‘Zoom-Bomb’ Online Classes, Harass Teachers

A group of pranksters has been using Discord to organize ‘Zoom-bombs’ of online classes. The ‘raids’ not only involve disrupting the video conferences with insults, racial epithets, and porn, but also recording the sessions and posting them on YouTube, TikTok and Twitch.

I’ve been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.

Students Conspire in Chats to ‘Zoom-Bomb’ Online Classes, Harass Teachers Image

The video (Opens in a new window) begins with a teacher in front of a web camera, instructing her students on the day’s lessons. Due to the coronavirus pandemic, all the participants are communicating online, using the video conferencing app Zoom.

But they aren’t alone. The meeting has also been infiltrated by pranksters who are set on disrupting the class with curse words and racist taunts.

“Yeah, no one gives a fuck,” one of the hijackers yells at the teacher. “No one gives a fuck about your class… Fuck Spanish.”

The incident is but one example of “zoom-bombing,” or when someone with ill-intent hijacks an online video conferencing session. On Monday, the FBI warned the public about the attacks, which the agency says is emerging as a nationwide threat.

However, the culprits behind the harassment are not as secretive as you might think. One group has actually been bragging about their exploits by recording their Zoom-bombing sessions and posting them (Opens in a new window) on YouTube and TikTok (Opens in a new window) . They’ve also been live streaming their attacks on Twitch.

The same group has also been organizing in public chats on Discord to determine who to strike next. To find their targets, the culprits have been searching social media for public Zoom gatherings while also taking requests from students, who’ve been joining the Discord chats with details on more meetings the group can hit.

“Can anybody troll my science class at 9 15,” wrote one user in the chat on Monday, which was accompanied by several other requests on the same day.

“I have a class in 30 minutes that I’ll send a link for.”

“My friend’s gonna give me the code to her hs pre calc class tomorrow morning.”

“So like who trying to raid my AP Bio Zoom meeting 11:30 tomorrow? West Coast.”

PCMag learned about the activity from a reader, who noticed one of the videos the group posted on YouTube. The 4-minute clip shows the culprits hijacking several Zoom meetings to swear at teachers as their students watch. (The video, and others, have since been taken down following PCMag’s reporting.)

“Yo, what up sixth grade class,” one member says in the same video before playing explicit rap lyrics. In a separate video (Opens in a new window) of the same incident, the culprits say "fuck you bitch" to the teacher and students in the Zoom feed.

The group has also been targeting Zoom meetings outside of education. One clip (Opens in a new window) shows the members infiltrating what appears to be an Alcoholics Anonymous group to share pictures of the Ku Klux Klan https://jiji.ng/.

In all the videos, you can hear the hijackers laughing at other attendees. But even participants in the Zoom-bombing sessions seem to be aware the harassment is going too far.

"I honestly feel so bad for these teachers, they are just trying to do what they love and the disrespect really bring out the hurt in them," wrote one user in the Discord chats.

“The only thing I’m mad at is when y’all be putting porn on fucking kindergarten classes,” wrote another.

Others have also indicated the Zoom-bombing sessions can involve exposing targets to child pornography. “I asked people on 4chan to do a raid with me and they put child porn on the zoom meeting,” wrote one user in the chats. The attacks can also focus on spreading hate. One member in a Discord chat shared a video hijacking labeled as a "democratic fundraiser." In the clip, the culprit yells racial epithets and says "Heil Hitler" three times, and then "white power" before being booted out.

Nevertheless, the group is intent on continuing the harassment. In less than a week, members have been organizing and sharing IDs for numerous Zoom meetings on at least two Discord chat servers. Just today more than 20 Zoom meeting links were shared in 30 minutes. Google Hangouts and Facebook Live meetings have been targeted as well.

The members have also been bragging about the results. The admin of one of the servers, an apparent 16-year-old named “Patchi," recently shared a screenshot taken from a teacher who decided to cancel further Zoom sessions after being harassed by a hijacking. "After today’s Zoom session, it is very disheartening to let you know I will not be resuming those sessions," the teacher wrote in the post.

On Monday night, Patchi called on users to join him in harassing an upcoming YouTube Live session by writing: “NEED A HUGE FAVOR FOR ALL OF YALL WE ARE GONNA RAID A YOUTUBE LIVE AND I NEED AS MANY PEOPLE AS POSSIBLE TO SPAM THE CHAT."

Patchi’s Discord server already has over 2,000 members since starting the harassment last Friday. The other server, operated by a user named "Siris," has almost 1,000 members.

Recommended by Our Editors

We’ve reached out to Zoom, Discord, YouTube, TikTok, and Twitch for comment, and will update this story if they respond.

In the meantime, Zoom users, especially educators, should remain on guard against potential hijackers. Requests for Zoom-bombing are also appearing (Opens in a new window) on Reddit (Opens in a new window) .

To stay safe, users should avoid sharing public Zoom meetings on social media. To prevent hijackers from crashing a meeting, you can use the "waiting room (Opens in a new window) " feature to ensure only invited guests enter a video session before it begins. The hosts of a Zoom meeting can also change the settings (Opens in a new window) to prevent guests from sharing their computer screens during a video session. Check out our guide for more tips.

PCMag has also reached out to the FBI, which has been encouraging (Opens in a new window) Zoom-bombing victims to notify the agency. We’ll update the story if we hear back.

Update: The user Patchi briefly paused the activities on his Discord server in response to PCMag’s reporting.

"We do not condone harassment to any users of Zoom," an admin on the server said (Opens in a new window) . "The Discord server is to just troll in a fun matter but nothing to extreme to the point where people get hurt or upset."

However, the group has since resumed more efforts to hijack Zoom sessions. This has included Patchi posting a new video (Opens in a new window) on YouTube showing off their latest exploits.

YouTube has decided to only remove one of the videos the group has posted because it contained racial epithets, which violates the platform’s policy on hate speech. The other videos remain up. YouTube didn’t explain why, but noted it has no policy concerning zoom-bombing.

Twitch, meanwhile, shut down Patchi’s channel on the service for violating its rules on harassment.

Update 2: In a statement, Discord said: "This activity clearly violates Discord’s Terms of Service, and we removed the servers as soon as we were made aware of them."