A security researcher has uncovered a critical flaw in Zoom video-conferencing software for macOS that puts up to 4 million users at risk. The zero-day flaw, tracked as CVE-2019–13450, can enable threat actors to hijack the webcam of users running the vulnerable software.

In order to exploit the vulnerability, an attacker merely needs to get victims to visit a website containing a malicious iFrame in which a Zoom meeting link has been embedded. Upon visiting the website, users will be launched into a Zoom web conference and their web cam will be turned on.

Read more: Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking