I have gotten into the habit of putting a post-it over my Mac camera. Some folks laugh at this, but this is exactly the reason why.
That said, the headline link is a Medium post with all the details. Most damning, though:
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.
If you’ve ever installed Zoom on your Mac and want to check for this local server, go to Terminal (it’s in Applications/Utilities) and type:
lsof -i :19421
If you enter the command and nothing comes back, you’re good. If you do get a result, you’ve got that web server running. If you don’t intentionally want that server running, here’s a tweet with instructions on killing it.
One final note on this. Here’s Zoom’s official response to all of this, posted on their blog as Response to Video-On Concern.
If you are a Zoom user, worth reading the linked Medium post and Zoom’s response. Then stick some post-its on your Mac camera. Just to be safe.