Two zero-day flaws in Zoom could enable threat actors to access webcam and microphone on MacOS system

A security researcher has uncovered two bugs in popular video conferencing app Zoom, which could allow hackers to take over a Zoom user ' s Mac and access the microphone and webcam on the device.

The details of the two zero-days were recently published in an online post by Patrick Wardle, a former NSA hacker who is now working as a principal security researcher at Jamf.

In order to exploit two vulnerabilities, a threat actor would need to have physical access to the target MacOS system, Wardle explains. However, hackers can also launch a remote post-malware infection attack utilising their pre-existing presence on the targeted system.

According to Wardle, the first security vulnerability arises from an issue with Zoom installer and could enable an unprivileged attacker to gain root privileges on the device.

The Zoom installer currently uses the AuthorizationExecuteWithPrivileges API function to install the Zoom MacOS app without any user interaction. Wardle discovered that a local attacker with low-level user privileges can inject malicious code in Zoom installer to receive root privileges for the system.

Using those privileges, the attacker can easily access the underlying operating system (MacOS) and run spyware or malware without the user ever knowing about it.

The second bug exploits a weakness in the way Zoom handles the microphone and webcam on Macs. Like any other app, Zoom first obtains consent from the user before it can access webcam and microphone on the device.

However, Wardle discovered that a hacker can inject malicious code into the Zoom app and trick it into giving the attacker the same level of access to the microphone and webcam that Zoom already has.

Zoom said it is currently working on its installer and client to address the issues exposed by Wardle.

The popularity of Zoom has rocketed in recent days due to coronavirus outbreak, which has forced government to impose complete lockdowns in their cities. People are being advised to stay indoors and complete all their official work from their homes.

But, the rising popularity of Zoom has also resulted in an increased attention on the company ' s security practices.

Earlier this week, a Zoom user filed a class-action lawsuit against the company in the federal court in San Jose, California, accusing the company of disclosing users' data to Facebook without receiving prior consent from users. The lawsuit came following a recent report from Motherboard, which said that Zoom iOS app was sending analytics data to Facebook.

Zoom confirmed the findings of Motherboard's analysis and also pushed an update to its software. The company said it has now removed the code that sent users' data to Facebook.