Zoom, a popular video and web conferencing tool is getting more attraction for its purpose and also for its security concerns. Regarding the security couple of researcher found a bug on Zoom that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.
A former NSA hacker, Patrick Wardle has also found two zero-days bugs on Zoom which can be launched by a local attacker, have physical access to the vulnerable machine. Once the bug exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.
First Bug: Silently Installing Malicious AppWardle said Zoom install its Mac app on users machine without any users interaction and this function can be exploited by attackers by injection malicious code on Zoom installer further installing a malicious application on users Mac machine (which don't need users permission), which leads to gain high user privilege (root) on the machine.
The root-level privileges give an attacker full control over the Mac operating system.
Second Bug: Full Control over Webcam, and microphone
Zoom app does need to access the webcam, and microphone of users system, which first ask users permission. This second bug exploits the function of the Zoom app that handles the webcam and microphone on Macs machines. Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once the attacker successfully tricked Zoom on loading malicious code, it automatically inherits all the permission of Zoom app. This gives the attacker control over Mac webcam and microphone, without any further prompts.
At the meantime, there isn't any fix for the bug. To be safe simple advice is stop using zoom.