A vulnerability in Zoom video chat software for Mac computers lets users switch on the webcams of others, even after they’ve uninstalled the app.
On Monday, software engineer Jonathan Leitschuh revealed the exploit that would allow hackers to add unsuspecting victims to video calls. Deleting the app doesn’t solve the problem, he said.
Zoom is among the most popular online video conferencing services for businesses. The company recently held an initial public offering and currently has a market value of nearly $25 billion, exceeding established tech companies like HPE.
According to Leitschuh, Zoom’s software can be reinstall even after the app is initially deleted. In an update Tuesday, he noted that RingCentral, an enterprise video chat app, is also affected.
Richard Farley, chief information security officer at Zoom, responded to Leitschuh’s findings by acknowledging that his company’s app can be unknowingly reinstalled after users delete it. He described it as a convenience that is intended as a workaround to Apple’s Safari web browser, which requires an extra step to gain user consent to open the Zoom app. It lets users “avoid this extra click before joining every meeting,” Farley said.
Farley defended the app’s design, saying users have the ability to turn their camera off, even though Leitschuh found that a third-party can override those settings and turn on another users’ camera. There’s no indication that anyone has ever done so.
Here’s how to protect yourself against the Zoom vulnerability
In response to the discovery of the vulnerability, Zoom plans to issue some changes in its next software update. The company will ask for a users’ camera preference for their first Zoom call and then use those preferences for every call thereafter. “Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting,” the company noted.
In the meantime, Leitschuh offers a few solutions the users can implement to fix the Zoom vulnerability. Mac users can open up their Zoom client, click on the settings section, and then click on “Turn off my video when joining a meeting” under the Meeting section.
In his post about the Zoom vulnerability, Leitschuh lists the steps to actually uninstall Zoom’s web server and keep the app from reinstalling itself. Or easier, you can cover your webcam when not using it.
More must-read stories from Fortune:
—What Jony Ive’s departure means for Apple’s stock
—4 reasons to be skeptical about Facebook’s Libra cryptocurrency
—Bank of America CEO: “We want a cashless society”
—Will Facebook’s Libra become the go-to payment system where banks fall short?
—Listen to our new audio briefing, Fortune 500 Daily
Follow Fortune on Flipboard to stay up-to-date on the latest news and analysis.
