A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.

isight
The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."

Update 2: Zoom is no longer taking a defensive stance and has now released a patch.

Tags: Security, Zoom

Top Rated Comments

Unggoy Murderer Avatar
42 months ago

"legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
So they basically circumvented browser security mechanisms to solve a user experience "issue". That is absolutely not a legitimate excuse.
Score: 14 Votes (Like | Disagree)
Return Zero Avatar
42 months ago
When your key product differentiator is both internally and externally acknowledged as a workaround with major security risks, you have completely failed as a software company.
Score: 11 Votes (Like | Disagree)
MallardDuck Avatar
42 months ago
Let see:

Install hidden, insecure background server process
Fail to remove it on uninstall
Fail to disclose that you did so
Fail to patch it when notified
Defend your actions to work around security features to 'save users' one single click
Destroy your brand and confidence in your solution shortly after going public

Priceless.
Score: 8 Votes (Like | Disagree)
windywalks Avatar
42 months ago
OK, so Zoom is going on my "never use again" pile.
Their excuse is just pathetic and the fact that they had 3 months to fix it and chose not to is just unacceptable.
Score: 7 Votes (Like | Disagree)
orbital~debris Avatar
42 months ago
enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."
More like enabling hackers to have “seamless, open-to-anyone webcam access” is their “key product differentiator”!
Score: 3 Votes (Like | Disagree)
rmt55 Avatar
42 months ago
I'm sorry... "simply uninstalling the app won't help" ??? In that case, how does one uninstall the localhost web server background process?
Score: 3 Votes (Like | Disagree)

Popular Stories

USB C Over Lightning Feature

EU Passes Law to Switch iPhone to USB-C by End of 2024

Tuesday October 4, 2022 3:30 am PDT by
The European Parliament today voted overwhelmingly in favor of enforcing USB-C as a common charging port across a wide range of consumer electronic devices, including the iPhone and AirPods, by the end of 2024. The proposal, known as a directive, forces all consumer electronics manufacturers who sell their products in Europe to ensure that a wide range of devices feature a USB-C port. This...
General iOS 16 Feature Yellow

10 New iOS 16 Features Coming Later This Year

Monday October 3, 2022 2:41 pm PDT by
iOS 16 was released to the public three weeks ago with a customizable Lock Screen, the ability to edit iMessages, improvements to Focus modes, and much more. And in the coming months, iPhone and iPad users have even more new features to look forward to. We've rounded up 10 new features coming to the iPhone and iPad later this year, according to Apple. Many of the features are part of iOS...
magsafe charger orange

Apple Releases New MagSafe Charger Firmware

Tuesday October 4, 2022 12:09 pm PDT by
Apple today released updated firmware for the MagSafe Charger that is designed to work with the iPhone 12 and later and the AirPods Pro 2. The new firmware is version 10M1821, up from the prior 10M229 firmware. Note that in the Settings app, you'll see a different version number than the firmware number, with the update displayed as version 255.0.0.0 (the prior firmware was 247.0.0.0). The...
maxresdefault

Video: AirPods Pro 2 vs. Bose QuietComfort II

Monday October 3, 2022 12:50 pm PDT by
Apple on September 23 officially launched the second-generation version of the AirPods Pro, introducing updated Active Noise Cancellation, Adaptive Transparency, improved sound, and more. Right around the same time, Bose introduced new QuietComfort II earbuds with many similar features, so we thought we'd compare the two to see which has the edge. Subscribe to the MacRumors YouTube channel for ...
iOS 16

Apple Preparing iOS 16.0.3 With More Bug Fixes Following iPhone 14 Launch

Monday October 3, 2022 7:53 am PDT by
iOS 16.0.2 was released last month with several bug fixes for iPhone 14 issues, excessive copy and paste permission prompts, and more. Now, evidence suggests that Apple is planning to release iOS 16.0.3 with additional bug fixes. Evidence of an upcoming iOS 16.0.3 software update has shown up in MacRumors analytics logs, which have been a reliable indicator in the past. There are several...
ipad pro m1 feature

Gurman: Apple Event This October Remains Unlikely, No Touch ID for iPhone 15

Sunday October 2, 2022 6:41 am PDT by
Apple is developing new iPad Pro, Mac, and Apple TV models, and at least some of these products will be released in October, according to Bloomberg's Mark Gurman. However, Gurman continues to believe that Apple is unlikely to hold an event this month. In the latest edition of his Power On newsletter, Gurman said "the big iPhone 14 unveiling last month was probably it for Apple in 2022 in...
General YouTube Feature 1

You May Soon Need to Be a YouTube Premium Subscriber to Watch 4K Videos

Monday October 3, 2022 4:29 am PDT by
YouTube may make watching videos in 4K quality on the platform exclusive to only YouTube Premium subscribers, according to screenshots posted by users on Twitter and Reddit. On Reddit (1,2) and Twitter, some users have started to recently notice that on iOS, and presumably across other platforms also, YouTube is now saying that in order to watch videos in 4K, the user must be a paying...
Apple SIM Card

Apple SIM No Longer Available for Activating New Cellular Data Plans on iPads

Sunday October 2, 2022 8:04 am PDT by
As of October 1, Apple SIM is no longer available for activating new cellular data plans on supported iPad models, according to an Apple support document. Introduced in 2014, the Apple SIM was designed to allow iPad users to activate cellular data plans from multiple carriers around the world. Initially, the Apple SIM was a physical nano-SIM card, but it was embedded inside later iPad Pro...