A security researcher named Jonathan Leitschuh published a blog post yesterday that lays out a newly discovered vulnerability in the Mac desktop client of the videoconferencing tool Zoom, which would allow malicious websites to turn on your Mac's webcam without your even knowing.
Zoom has become increasingly popular, especially for the increasing number of teams with remote workers, and is used by over 750,000 businesses. That means that millions of users are at risk for this particular flaw.
The problem lies with the way that Zoom allows you to start or join a meeting simply by clicking a web link. While that makes it easy for users, it requires the creation of a local web server that runs on your machine. This enables the launching of meetings with video and audio without additional authorizations from the user.
According to Leitschuh, this method of launching meetings might be user-friendly, but it certainly isn't security-friendly since it means that attackers could use the flaw to start a meeting and turn on your camera without you authorizing it. He describes in-depth how Zoom could implement this in a more secure method, and says he gave the information to Zoom in March.
Zoom has yet to make any changes to address this vulnerability, and I reached out to the company for a comment, though it didn't immediately respond. The company did, however, post on its blog that it would implement changes in future releases:
In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting.
The company also indicated that it doesn't know of any instance of this vulnerability's being exploited.
The blog post also went on to say that "All first-time Zoom users, upon joining their first meeting from a given device, are asked whether they would like their video to be turned OFF. For subsequent meetings, users can configure their client video settings to turn OFF video when joining a meeting."
The technology trade-off.
That's helpful, but it doesn't directly address the bigger issue--which leads to two important lessons here for entrepreneurs and businesses.
Technology almost always requires a trade-off between convenience and security. As a business owner, you have to decide every day what tools to use to make your job, and the job of your team a little easier.
But as you do, there's a risk that the very technology you use to be more productive is also putting your company and your team's personal information at risk.
It turns out that the second lesson is the same as the first. If you're creating technology--or any product--there's a trade-off. There's a temptation, like Zoom, to make things as easy as possible.
Making things easy comes at a cost.
Look, I'm always in favor of making things easy whenever possible, but it's important to acknowledge that when we do, there's a compromise. Zoom is clearly focused on making something that used to be complicated (videoconferencing) and making it extremely simple for users.
In fact, I've used Zoom with people who have almost no tech-savvy whatsoever, and they have no problem getting started because it's that easy.
But when you create something for people to use, the biggest question you have to ask is where you draw that line. Because there will always be a line and someone will always try to take advantage of the decision you made for less-than-noble purposes.
It's not a question that is easy to answer, and it's one you should ask yourself on a regular basis. "Are we making this simple-enough for users, but safe enough to protect them?"
Sometimes the most important person you have to protect your user from is themselves.