A zero-day vulnerability allows a malicious website to hijack a user s webcam without their permission. After media scrutiny, Zoom has rushed out an emergency patch to address the flaw. The company initially deployed only a partial fix and was slow to respond to researcher Jonathan Leitschuh during the disclosure process. The issue exists because the default setting for creating a new meeting is the Participants: On option. This automatically joins an invited person to the meeting, with webcam enabled, without the person having to give permission.
Source: https://threatpost.com/zoom-emergency-patch-webcam-hijack/146381/