The chaos and panic that the disclosure of privacy vulnerability in the highly popular and widely-used Zoom video conferencing software created earlier this week is not over yet.
As suspected, it turns out that the core issue—a locally installed web server by the software—was not just allowing any website to turn on your device webcam, but also could allow hackers to take complete control over your Apple’s Mac computer remotely.
Reportedly, the cloud-based Zoom meeting platform for macOS has also been found vulnerable to another severe flaw (CVE-2019-13567) that could allow remote attackers to execute arbitrary code on a targeted system just by convincing users into visiting an innocent looking web-page.
As explained in our previous report by Swati Khandelwal, the Zoom conferencing app contained a critical vulnerability (CVE-2019-13450) that resides in the way its click-to-join feature is implemented, which automatically turns on users’ webcam when they visit an invite link.
Both vulnerabilities stem from a controversial local web server—runs on port 19421—that Zoom client installs on users’ computers to offer the click-to-join feature.
images from Hacker News