Discovered by security researcher Jonathan Leitschuh, the root cause of the vuln is apparently down to the Zoom app installing a web server on Mac computers in order to accept requests normal browsers would be able to and thus streamline the process of conducting video calls.
But Leitschuh explained that this functionality means that anyone who sends a meeting link to a Zoom user can trigger the app to automatically open on a Mac with the webcam turned on by default. Obviously, this vulnerability is something malicious snoopers and cyber pranksters could exploit.
Leitschuh disclosed the vulnerability to Zoom, but the company's attempts at a quick fix apparently didn't work and the security researcher was able to work around any quick fixes and thus the vulnerability remains at large.
Furthermore, if the web server on a Mac is uninstalled, it will simply reinstall itself again. And having a web server on a local machine is also pretty dodgy as it opens up that computer to all manner of cyber nasties, notably denial of service attacks if a hacker was to spam the local web server with repeated GET requests.
Zoom told The Verge that having a web server locally on Macs was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator", adding that it will tweak its app to allow users to have the camera on their machines turned off by default when they join a video call.
But this doesn't appear to be a way to fix the vulnerability that can drag Zoom users automatically into video calls.
Leitschuh detailed how Zoom users could patch themselves, but at the time of writing it looks like millions of Zoom users could be vulnerable to the exploit, especially as Zoom doesn't have "sufficient auto-update capabilities" meaning many users could end up being left on outdated versions that are still vulnerable to exploits even is the firm does fully fix the vulnerability. µ
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked