Zoom's video conferencing software is more problematic than a secret Web server on a Mac. Even under Windows, the websites you visit may start filming you without your consent. All you have to do is click on a link. This problem also affects Macs.
While previous report seemed to indicate that zoom issues were specific to macOS, Windows is also vulnerable. If Zoom is set to turn on your default camera during meetings, someone might integrate a Zoom link into a web page and immediately start registering. It would work on Windows or Mac.
Zoom insists it "has no indication that it has happened before" – again. The company sees this as a feature and indicates that you have given permission if your Zoom client is set to automatically activate your webcam when you join a meeting.
Jonathan LeitschuhThe proof of concept website proves it. If the Zoom software is installed and you access the website, the Zoom software will launch and automatically join the meeting and start recording with your webcam. In the case of macOS, you would notice this behavior even if you previously uninstalled Zoom, thanks to a secret Web server that Zoom continues to work after uninstalling. But even under Windows, Zoom will launch if you already have it installed.
At first, Jonathan Leitschuh's post seemed to suggest that this question only existed on MacOS. But he said differently in a tweet:
🚨 Windows and Mac OW users
If you have checked this box on a browser other than Safari, you are also vulnerable. pic.twitter.com/FbG2efEe0R
– Jonathan Leitschuh (@JLLeitschuh) July 9, 2019
We tested this by installing the Zoom software and visiting its technical demo website with the help of Google Chrome.
During the first visit, you will be prompted to open the Zoom application – assuming that Zoom is not installed. If you check the box "Always open these types of links in the associated application", you have problems. It's a box that almost everyone will check to avoid additional clicks in the future.
The next time we visited the website, Zoom's automatically opened, joined us at the meeting and started our webcam. We did not click on the prompts or give approval. Without interaction from you, malicious sites could easily register you if Zoom is installed on your computer.
You see the Zoom window and it is clear that you are being recorded. However, a malicious website could capture a video of you before stopping the videoconference.
This is a huge problem. We recommend that you uninstall Zoom if you do not use it often. If you need to install it, you can also enable the "Disable my video when I attend a meeting" option in the "Video" tab of the Zoom configuration window to prevent this.
On macOS, do not forget to check the web server and uninstall it too.
Unfortunately, Zoom official response the situation seems to suggest that society sees this as a feature and not a problem. Fortunately, he soon understands the gravity of the problem and changes course.