A former NSA hacker has discovered two new security vulnerabilities in the Mac version of the popular video conferencing application Zoom, TechCrunch reports
Patrick Wardle, who is now principal security researcher at Jamf, published a blog post Tuesday detailing his discoveries.
Wardle noted that Zoom is “well on its way to becoming a household verb” since so many people are now working from home while riding out the current health crisis. However, he says users “may want to think twice” about using the macOS version of the app in light of his findings.
The first of the two zero-day vulnerabilities enables an attacker to exploit Zoom's insecure install settings to gain “root” privileges.
“Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing,” TechCrunch noted.
The second bug enables an attacker to inject malicious code into Zoom that will give the attacker access to the webcam and microphone.
“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.
To exploit either of the bugs, an attacker would need to have physical access to a computer running Zoom’s macOS client. With people being encouraged to practice social distancing to mitigate the spread of the coronavirus, the vulnerabilities may not pose a significant security threat.
“However if you value either your (cyber) security or privacy, you … should avoid using the macOS version of the app, as neither of these essential values seem to be part of their ethos,” Wardle said.
Security under scrutiny
The discovery of the two new flaws comes on the heels of another vulnerability found in Zoom. Security researchers recently found a Zoom bug that gives an attacker the ability to steal Windows login credentials.
The platform is currently being investigated by New York Attorney General Letitia James, who has set out to ensure that the company’s data privacy and security practices are sufficient as its use soars.
In a letter to Zoom, James described the platform as “an essential and valuable communications” tool. However, she expressed concern that the company has been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”