A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.

isight
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Tags: security, Zoom

Top Rated Comments

Unggoy Murderer Avatar
Unggoy Murderer
22 months ago

"legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
Score: 14 Votes (Like | Disagree)
Return Zero Avatar
Return Zero
22 months ago
When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
Score: 11 Votes (Like | Disagree)
MallardDuck Avatar
MallardDuck
22 months ago
Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.
Score: 8 Votes (Like | Disagree)
windywalks Avatar
windywalks
22 months ago
OK, so Zoom is going on my "never use again" pile.
Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
Score: 7 Votes (Like | Disagree)
orbital~debris Avatar
orbital~debris
22 months ago
enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
Score: 3 Votes (Like | Disagree)
rmt55 Avatar
rmt55
22 months ago
I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
Score: 3 Votes (Like | Disagree)
Read All Comments

Top Stories

microsoft edge ios android

Bill Gates Says His Preference for Android Over iPhone is Due to Pre-Installed Software

Friday February 26, 2021 3:35 am PST by
Microsoft co-founder Bill Gates this week participated in his first meeting on Clubhouse, the increasingly popular invite-only conversation app, where he fielded a range of questions as part of an ongoing book tour. Gates was interviewed by journalist Andrew Ross Sorkin, and given that the Clubhouse app is currently only available on iOS, naturally one of the questions that came up was...
Read Full Article274 comments
First Look Big Sur Feature2

Apple Releases macOS Big Sur 11.2.2 to Prevent MacBooks From Being Damaged by Third-Party Non-Compliant Docks

Thursday February 25, 2021 10:07 am PST by
Apple today released macOS Big Sur 11.2.2, the fourth update to the macOS Big Sur operating system that launched in November. macOS Big Sur 11.2.2 comes two weeks after the release of macOS Big Sur 11.2.1, a bug fix update. The new ‌‌‌‌macOS Big Sur‌‌‌ 11.2.2‌ update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences....
Read Full Article240 comments
flat mbp 14 inch feature yellow

Redesigned 14-Inch MacBook Pro Expected to Feature Brighter Mini-LED Display With Slimmer Bezels and More

Thursday February 25, 2021 7:48 am PST by
Apple plans to unveil new 14-inch and 16-inch MacBook Pro models with Mini-LED-backlit displays in the second half of this year, according to industry sources cited by Taiwanese supply chain publication DigiTimes. The report claims that Radiant Opto-Electronics will be the exclusive supplier of the Mini-LED backlight units, while Quanta Computer is said to be tasked with final assembly of the...
Read Full Article202 comments
jon prosser imac 2021colors

Prosser: 2021 iMac to Come in Five Colors, Apple Silicon Mac Pro to Resemble 'Stacked' Mac Minis

Wednesday February 24, 2021 7:26 am PST by
Hit-and-miss leaker Jon Prosser has today alleged that the upcoming 2021 iMac models will offer five color options, mirroring the colors of the fourth-generation iPad Air, and revealed a number of additional details about the Mac Pro with Apple Silicon. In a new video on YouTube channel FrontPageTech, Prosser explained that the redesigned iMacs will come featuring options for Silver, Space ...
Read Full Article296 comments
steam apple logo

Valve Ordered to Give Apple Information on 436 Steam Games As Part of Epic Games Legal Case

Thursday February 25, 2021 1:50 am PST by
Valve, the makers behind popular game distribution platform Steam, will be forced to hand over aggregate historical sales, price, and other information on 436 games hosted on the store to Apple, as part of the Apple vs. Epic Games antitrust case. As reported in a paywalled report by Law360, during a virtual discovery hearing on Wednesday, U.S. Magistrate Judge Thomas S. Hixson ordered that...
Read Full Article126 comments
apple store macarthur center

Apple Store at MacArthur Center in Virginia Permanently Closing Following Years of Safety Issues at Shopping Mall

Thursday February 25, 2021 4:45 pm PST by
Apple today indicated that its retail store at the MacArthur Center shopping mall in Norfolk, Virginia will be permanently closing after over 14 years of business, although an exact closure date has yet to be announced by the company. Apple has assured that it will be offering all employees at the store other positions within Apple, and said that it looks forward to continuing to serve...
Read Full Article64 comments
m1 mac mini

M1 Mac Users Report Excessive SSD Wear

Tuesday February 23, 2021 7:07 am PST by
Over the past week, some M1 Mac users have been reporting alarming SSD health readings, suggesting that these devices are writing extraordinary amounts of data to their drives (via iMore). Across Twitter and the MacRumors forums, users are reporting that M1 Macs are experiencing extremely high drive writes over a short space of time. In what appear to be the most severe cases, M1 Macs are sai...
Read Full Article682 comments
apple refurbished m1 mac mini

Apple Begins Selling Refurbished M1 Mac Mini

Thursday February 25, 2021 6:42 pm PST by
Apple today began selling certified refurbished Mac mini models with the M1 chip for the first time in the United States and Canada, with prices discounted by approximately 15 percent compared to brand new models as usual. For example, a refurbished Mac mini with the M1 chip, 256GB of SSD storage, and 16GB of unified memory is available for $759, compared to $899 brand new. Other custom...
Read Full Article96 comments
qualcomm snapdragon x60 5g

iPhone 13 Lineup Expected to Use Qualcomm's Snapdragon X60 Modem With Several 5G Improvements

Wednesday February 24, 2021 8:10 am PST by
Apple's next-generation iPhone 13 lineup will use Qualcomm's Snapdragon X60 5G modem, with Samsung to handle manufacturing of the chip, according to DigiTimes. Built on a 5nm process, the X60 packs higher power efficiency into a smaller footprint compared to the 7nm-based Snapdragon X55 modem used in iPhone 12 models, which could contribute to longer battery life. With the X60 modem, iPhone...
Read Full Article80 comments
2021 mbp sd slot feature2

Kuo: New MacBook Pro Models With HDMI Port and SD Card Reader to Launch Later This Year

Monday February 22, 2021 8:52 pm PST by
Apple plans to release two new MacBook Pro models equipped with an HDMI port and SD card reader in the second half of 2021, according to analyst Ming-Chi Kuo, who outlined his expectations in a research note obtained by MacRumors. The return of an SD card reader was first reported by Bloomberg's Mark Gurman last month. "We predict that Apple's two new MacBook Pro models in 2H21 will have...
Read Full Article530 comments