Tech by VICE

How To Remove Zoom From Your Mac

Here’s how to disable the security and privacy issues that lets an attacker hijack your Mac webcam through Zoom.

by Lorenzo Franceschi-Bicchierai
Jul 9 2019, 5:08pm

Image: VICE Media

If you have an office job, chances are you get invited to a lot of meetings. In 2019, that means jostling to book a meeting room days in advance, or trying to figure out where the hell you put that link to the video conference.

The popular video conference app maker Zoom had a clever solution for that scenario, which made video conferencing a bit faster: it installed a server on your Mac that remained there even if you uninstalled the Zoom app, turning on your camera as soon as you joined a meeting. In practice, there were two Zoom apps, the video conferencing one, and the app that install the server.

That, according to a security researcher, is a bug. And judging by how many people appeared surprised to find out about this solution on social media, the researcher isn’t alone thinking this is not cool. Jonathan Leitschuh, a security engineer at open source coding platform Gradle, revealed the vulnerability on Monday, publishing not only details of how it works, but also two proof-of-concept exploits that people can use to test the bug on their machines.

Read more: Zoom Vulnerability Lets Hackers Hijack Your Webcam

You can do the test yourself by clicking on this link created by Leitschuh: https://jlleitschuh.org/zoom_vulnerability_poc/

"All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running," Leitschuh says.

Others have created similar sites for testing purposes, such as zoomzeroday.com.

What happens if you visit the zoomzeroday.com website that exploits the Zoom bug and you don’t have the Zoom Mac apps installed.

If you don’t have the Zoom app installed, when you visit those links your Mac downloads the Zoom app .pkg file. That means you’re not vulnerable to these exploits. (Good pre-emptive OPSEC on your part.)

However, if you click on those links and the Zoom app launches and you auto-join a meeting and your camera turns on automatically, then hackers could—in theory—spy on you that way.

You can blame your boss for making you install Zoom but that may not be the best approach. And if you simply drag the Zoom app from your Applications folder to the Trash, and then click on Empty Trash, that likely won’t do it either. At least that didn’t work on my Mac computer.

Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Luckily, there are a few simple ways for you to mitigate this bug without waiting for Zoom to do it for you.

The easiest is to open your Zoom app and disable this feature. Open the Zoom app, open the Settings (by either clicking on the icon in the app or by clicking Preferences in the dropdown menu on the top left corner of your screen), click on Video, then under “Meetings” click on “Turn off my video when joining a meeting.”

That should do the trick, but if you prefer to use the Terminal, and you’re comfortable using commands, just follow the instructions Leitschuh wrote in his blog post. (Note, you may have to do this for every user on the machine unless you have administrative privileges on the computer you’re using.)

For me, it worked following Leitschuch’s step by step.

First, open Terminal, paste this command and press enter:

defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1

To disable it for all users, do the same but with this command:

sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

Then run this command:

lsof -i :19421

Look at the processes that are open. For example, on my machine it was the following, with a process clearly related to Zoom.

Then run:

kill -9 [process number]

And replace the brackets with the process number, for example: 3025. That means your next command is:

kill -9 3025

Verify this all worked by running this command again:

lsof -i :19421

If your Terminal doesn’t display the Zoom-related process, you’re good. Finally, to remove all the files for the Zoom web server application, run this:

rm -rf ~/.zoomus

And voila. Now you can remove the main app too if you want.

To make sure the Zoom webserver app doesn't get installed again after you reboot. Run this command:

pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;

If you want to be alerted when an app like Zoom turns on your camera and you want to be extra paranoid, we recommend trying out Patrick Wardle’s Oversight, a free app that warns you when the camera on your Mac is turned on.

Subscribe to our new cybersecurity podcast, CYBER.