Weakness in Zoom for macOS allows local attackers to hijack camera and microphone
The Zoom video conferencing client for macOS does not take full advantage of the application hardening features the operating system offers, which could allow local malware to elevate its privileges or access the camera and microphone without the user’s knowledge. The issues, which stem from insecure use of system APIs, were revealed Wednesday by security researcher Patrick Wardle on his blog. Wardle has a long history of macOS security research, which includes finding vulnerabilities, analyzing malware and writing security tools for Apple’s platform.
Exploiting the two flaws requires attackers to already have local code execution access on the machine, but this does not mean they’re not serious issues, since local code execution with limited user privileges can be achieved in a variety of ways. Furthermore, Wardle believes the problems could have been easily avoided by Zoom because the attack techniques have been documented by himself and other researchers in the past in blog posts and at security conferences.